Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1584820
MD5:15d99525d13a5963a340fb7330bff4f8
SHA1:4f680ffe01e7bb4f1ee4454e61556f2cf550283d
SHA256:b5df645adcfc9f55d11dc9a9448a7a9e29373c4364f846e5253bdc6b9fa70de2
Tags:LegionLoadermsipalmsizehelis-comRobotDropperuser-aachum
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 2688 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 1448 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4176 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 6980 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7120 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • obs-ffmpeg-mux.exe (PID: 1832 cmdline: "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)
        • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 6904 cmdline: "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Script Interpreter Execution From Suspicious Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4176, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6980, ProcessName: powershell.exe
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4176, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6980, ProcessName: powershell.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4176, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6980, ProcessName: powershell.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.32.152, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4176, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
    Sigma detected: Suspicious MsiExec Embedding Parent
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4176, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6980, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4176, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6980, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-06T15:35:16.944702+010028292021A Network Trojan was detected192.168.2.449730104.21.32.152443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: unknownHTTPS traffic detected: 104.21.32.152:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1865844208.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1869544885.00007FF758D35000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1865844208.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI4D0A.tmp.1.dr, MSI4DD8.tmp.1.dr, MSI4C2C.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, MSI4D69.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, MSI4D69.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.32.152:443
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: palmsizehelis.com
    Source: unknownHTTP traffic detected: POST /updater2.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: palmsizehelis.comContent-Length: 71Cache-Control: no-cache
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: createdump.exe.1.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
    Source: createdump.exe.1.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
    Source: createdump.exe.1.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
    Source: powershell.exe, 00000003.00000002.1814274714.0000000007A7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
    Source: powershell.exe, 00000003.00000002.1814274714.0000000007A7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: swresample-4.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: avformat-60.dll.1.drString found in binary or memory: http://dashif.org/guidelines/trickmode
    Source: powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5c43b0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
    Source: createdump.exe.1.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: http://schemas.micj
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: avformat-60.dll.1.drString found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com01
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com02
    Source: createdump.exe.1.drString found in binary or memory: http://subca.ocsp-certum.com05
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: createdump.exe.1.drString found in binary or memory: http://www.certum.pl/CPS0
    Source: setup.msi, avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, 5c43b0.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1876117538.00007FFDF9E10000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.videolan.org/x264.html
    Source: zlib.dll.1.drString found in binary or memory: http://www.zlib.net/D
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
    Source: powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1810593247.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: https://palmsizehelis.com/updater2.phpx
    Source: createdump.exe.1.drString found in binary or memory: https://www.certum.pl/CPS0
    Source: setup.msi, 5c43b0.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.21.32.152:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c43b0.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C2C.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C9A.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4CDA.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D0A.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D69.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DA8.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DD8.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D48.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7289.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7299.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c43b3.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c43b3.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI4C2C.tmpJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF758D32A1010_2_00007FF758D32A10
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF758D32EE010_2_00007FF758D32EE0
    Source: avcodec-60.dll.1.drStatic PE information: Number of sections : 13 > 10
    Source: avutil-58.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swresample-4.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swscale-7.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: zlib.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: avformat-60.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
    Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
    Source: classification engineClassification label: mal68.evad.winMSI@17/88@1/1
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML7BB8.tmpJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFE9C730EA38F4649A.TMPJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: dbgcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: obs.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avcodec-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avformat-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: w32-pthreads.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: swresample-4.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: setup.msiStatic file information: File size 60709004 > 1048576
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1865844208.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1869544885.00007FF758D35000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1865844208.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI4D0A.tmp.1.dr, MSI4DD8.tmp.1.dr, MSI4C2C.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, MSI4D69.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5c43b0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, MSI4D69.tmp.1.dr, 5c43b0.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5c43b0.msi.1.dr
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
    Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
    Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
    Source: createdump.exe.1.drStatic PE information: section name: _RDATA
    Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
    Source: avformat-60.dll.1.drStatic PE information: section name: .xdata
    Source: avutil-58.dll.1.drStatic PE information: section name: .xdata
    Source: swresample-4.dll.1.drStatic PE information: section name: .xdata
    Source: swscale-7.dll.1.drStatic PE information: section name: .xdata
    Source: zlib.dll.1.drStatic PE information: section name: .xdata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .rodata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .xdata
    Source: MSI7299.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4C2C.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4C9A.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4CDA.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4D0A.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4D69.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4DA8.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4DD8.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI6D48.tmp.1.drStatic PE information: section name: .fptable
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0360BD96 push esp; ret 3_2_0360BDB3
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07CB06BF push es; retf 3_2_07CB06CE
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07CB0637 push es; retf 3_2_07CB0646
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C2C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D69.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C9A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7299.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DD8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D0A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4CDA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D48.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DA8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D48.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7299.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4CDA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D0A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DD8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C2C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D69.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DA8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C9A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4686Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6D48.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4C2C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4D69.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4DA8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4C9A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7299.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4D0A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4CDA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4DD8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeAPI coverage: 8.2 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep count: 4686 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep count: 344 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1704Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: 5c43b0.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1876117538.00007FFDF99FA000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Video @
    Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1876117538.00007FFDF99FA000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware Screen Codec / VMware Video
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF6017B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6017B2ECC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF6017B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6017B2ECC
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF6017B3074 SetUnhandledExceptionFilter,7_2_00007FF6017B3074
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF6017B2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF6017B2984
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF758D33E04 SetUnhandledExceptionFilter,10_2_00007FF758D33E04
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF758D33C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF758D33C5C
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF758D33774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF758D33774

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss7301.ps1" -propfile "c:\users\user\appdata\local\temp\msi72ee.txt" -scriptfile "c:\users\user\appdata\local\temp\scr72ef.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr72f0.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss7301.ps1" -propfile "c:\users\user\appdata\local\temp\msi72ee.txt" -scriptfile "c:\users\user\appdata\local\temp\scr72ef.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr72f0.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF6017B2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF6017B2DA0

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		1
    Replication Through Removable Media    		1
    Command and Scripting Interpreter    		1
    Windows Service    		1
    Windows Service    		21
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    Scripting    		11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory111
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    DLL Side-Loading    		121
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS121
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584820 Sample: setup.msi Startdate: 06/01/2025 Architecture: WINDOWS Score: 68 49 palmsizehelis.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 138 104 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI7299.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI6D48.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI4DD8.tmp, PE32 9->39 dropped 41 51 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 palmsizehelis.com 104.21.32.152, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr72EF.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss7301.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi72EE.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 obs-ffmpeg-mux.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    setup.msi5%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dll3%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dll0%ReversingLabs
    C:\Windows\Installer\MSI4C2C.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4C9A.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4CDA.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4D0A.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4D69.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4DA8.tmp0%ReversingLabs
    C:\Windows\Installer\MSI4DD8.tmp0%ReversingLabs
    C:\Windows\Installer\MSI6D48.tmp0%ReversingLabs
    C:\Windows\Installer\MSI7299.tmp0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://palmsizehelis.com/updater2.phpx0%Avira URL Cloudsafe
    http://schemas.micj0%Avira URL Cloudsafe
    http://dashif.org/guidelines/trickmode0%Avira URL Cloudsafe
    https://palmsizehelis.com/updater2.php0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    palmsizehelis.com
    		104.21.32.152
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://palmsizehelis.com/updater2.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.certum.pl/ctsca2021.crl0ocreatedump.exe.1.drfalse
          		high
          http://repository.certum.pl/ctnca.cer09createdump.exe.1.drfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://crl.certum.pl/ctnca.crl0kcreatedump.exe.1.drfalse
                		high
                http://crl.microsoftpowershell.exe, 00000003.00000002.1814274714.0000000007A7D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000003.00000002.1810593247.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.micjsetup.msi, 5c43b0.msi.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsdavformat-60.dll.1.drfalse
                            		high
                            https://palmsizehelis.com/updater2.phpxsetup.msi, 5c43b0.msi.1.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ccsca2021.crl.certum.pl/ccsca2021.crl0screatedump.exe.1.drfalse
                              		high
                              https://www.certum.pl/CPS0createdump.exe.1.drfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1810593247.0000000005556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1809843832.00000000032D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://repository.certum.pl/ccsca2021.cer0createdump.exe.1.drfalse
                                    		high
                                    http://crl.micropowershell.exe, 00000003.00000002.1814274714.0000000007A7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://repository.certum.pl/ctsca2021.cer0createdump.exe.1.drfalse
                                        		high
                                        http://subca.ocsp-certum.com05createdump.exe.1.drfalse
                                          		high
                                          http://www.zlib.net/Dzlib.dll.1.drfalse
                                            		high
                                            http://subca.ocsp-certum.com02createdump.exe.1.drfalse
                                              		high
                                              https://aka.ms/pscore6lBfqpowershell.exe, 00000003.00000002.1810593247.0000000005401000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://subca.ocsp-certum.com01createdump.exe.1.drfalse
                                                  		high
                                                  http://www.videolan.org/x264.htmlobs-ffmpeg-mux.exe, 0000000A.00000002.1876117538.00007FFDF9E10000.00000002.00000001.01000000.00000008.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1813156845.0000000006469000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://dashif.org/guidelines/trickmodeavformat-60.dll.1.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.certum.pl/ctnca2.crl0lcreatedump.exe.1.drfalse
                                                          		high
                                                          http://repository.certum.pl/ctnca2.cer09createdump.exe.1.drfalse
                                                            		high
                                                            http://ccsca2021.ocsp-certum.com05createdump.exe.1.drfalse
                                                              		high
                                                              https://aka.ms/winui2/webview2download/Reload():setup.msi, 5c43b0.msi.1.drfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1810593247.0000000005401000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.certum.pl/CPS0createdump.exe.1.drfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.21.32.152
                                                                    		palmsizehelis.comUnited States
                                                                    		13335CLOUDFLARENETUStrue

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1584820
                                                                    Start date and time:2025-01-06 15:34:14 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 38s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:15
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:setup.msi
                                                                    Detection:MAL
                                                                    Classification:mal68.evad.winMSI@17/88@1/1
                                                                    EGA Information:
                                                                    • Successful, ratio: 33.3%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 15
                                                                    • Number of non-executed functions: 35
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .msi

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 1832 because there are no executed function
                                                                    • Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    09:35:18API Interceptor4x Sleep call for process: powershell.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    CLOUDFLARENETUShttps://sendbot.me/mousse-w0fysl7Get hashmaliciousUnknownBrowse
                                                                    • 104.16.79.73
                                                                    http://gleapis.com/Get hashmaliciousUnknownBrowse
                                                                    • 104.17.25.14
                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.97.3
                                                                    http://jennadewanunwrapped.netGet hashmaliciousUnknownBrowse
                                                                    • 188.114.97.3
                                                                    http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9Get hashmaliciousUnknownBrowse
                                                                    • 172.66.0.145
                                                                    Profile Illustrations and Technical Specifications for This System1.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.21.80.1
                                                                    fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                    • 188.114.96.3
                                                                    title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                    • 172.67.208.58
                                                                    http://www.housepricesintheuk.co.ukGet hashmaliciousUnknownBrowse
                                                                    • 172.64.155.119

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    37f463bf4616ecd445d4a1937da06e192749837485743-7684385786.05.exeGet hashmaliciousNitolBrowse
                                                                    • 104.21.32.152
                                                                    2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.21.32.152
                                                                    drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                    • 104.21.32.152
                                                                    ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                    • 104.21.32.152
                                                                    LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.21.32.152
                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                    • 104.21.32.152
                                                                    drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                    • 104.21.32.152
                                                                    2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.21.32.152
                                                                    2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.21.32.152

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exesetup.msiGet hashmaliciousUnknownBrowse
                                                                      Setup.msiGet hashmaliciousUnknownBrowse
                                                                        6a7e35.msiGet hashmaliciousUnknownBrowse
                                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                                    48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                                                                          Setup.msiGet hashmaliciousUnknownBrowse
                                                                                            6a7e35.msiGet hashmaliciousUnknownBrowse
                                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                                                        48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                                                                          setup.msiGet hashmaliciousUnknownBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Config.Msi\5c43b2.rbs

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):19986
                                                                                                            Entropy (8bit):5.8333679658577635
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:7Z1pzRdtmXeks76G0uZWbbZBZN01VuD5vokphIMGKvkLMgjfWGI+1bfZ52AkXYAM:77pzRdtmXeks76G0uZWbbZBZN01VuD5g
                                                                                                            MD5:35D91CA719420F527CDE5DA73281F319
                                                                                                            SHA1:3C9C46D88A8BFB2EB196618A661829A25897C151
                                                                                                            SHA-256:FA5A4EF73DFF34C8566242D9D8B2B94ECC90F532AC3184D006C3259A87EBB499
                                                                                                            SHA-512:9947496B65F9BC21887E140EBC4FC3A541E146216E5FF7A6E24C1485C733F8DF657ED9FAFC2B237D72863A86E7F2868C7A9A9390FF27B4D17A1B8A9379937F5A
                                                                                                            Malicious:false
                                                                                                            Preview:...@IXOS.@.....@jL&Z.@.....@.....@.....@.....@.....@......&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}..Weisx App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{327C9D99-2094-4698-BA9F-6725EDBE02DC}.....@.....@.....@.....@.......@.....@.....@.......@......Weisx App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{66953C33-9A06-4AA2

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1360
                                                                                                            Entropy (8bit):5.416242597923778
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:3T/WSKco4KmBs4RPT6GjKbmFoUebIKo+mZ9t7J0gt/NK3R82r+SVbR:LWSU4y4RFymFoUeW+mZ9tK8NWR82jVbR
                                                                                                            MD5:4B7D84411A407C2ED05BC622322A3C5F
                                                                                                            SHA1:3EDA4833DEBC63EE6099993FFE86E8AFA4DE5432
                                                                                                            SHA-256:7D9E4680EC13636C3BFB4A42ADDB80CFF748E3E7A6B50EB0D213801924082C36
                                                                                                            SHA-512:04E12A609B41877AA859CF18ED9850FEE4C452717F344DA41B2AD971768E55B5BB304D81EACE6892FD8D471382631E2D0DF72938127647FC6FE9820C1C721BC8
                                                                                                            Malicious:false
                                                                                                            Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvaf4uaa.4to.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmjx3gpb.y2o.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\msi72EE.txt

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):100
                                                                                                            Entropy (8bit):3.0073551160284637
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                                                                            MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                                                                            SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                                                                            SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                                                                            SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                                                                            Malicious:true
                                                                                                            Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                                                            C:\Users\user\AppData\Local\Temp\pss7301.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6668
                                                                                                            Entropy (8bit):3.5127462716425657
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                                                            MD5:30C30EF2CB47E35101D13402B5661179
                                                                                                            SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                                                            SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                                                            SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                                                            Malicious:true
                                                                                                            Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                            C:\Users\user\AppData\Local\Temp\scr72EF.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):3.500405439723985
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:Q1AGYNk79idK3fOlFoulk+KiV64AGIArMTlP1LlG7JidK3falnUOn03AnfGR:Q1F3Kvoq3VFVrMTQNeFUr3ZR
                                                                                                            MD5:A18EA6E053D5061471852A4151A7D4D0
                                                                                                            SHA1:AEA460891F599C4484F04A3BC5ACC62E9D5AD9F7
                                                                                                            SHA-256:C4EF109DD1FEF1A7E4AF385377801EEA0E7936D207EBCEBBE078BAD56FB1F4AB
                                                                                                            SHA-512:7530E2974622BB6649C895C062C151AC7C496CCC0BDAE4EB53C6F29888FA7B1E184026FBB39DDB5D8741378BEE969DD70B34AC7459F3387D92D21DBCFE28DC9A
                                                                                                            Malicious:true
                                                                                                            Preview:..$.s.k.g.i.e.h.g. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.o.i.g.s.e.i.g.j. .=. .[.u.i.n.t.3.2.].(.$.s.k.g.i.e.h.g. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.o.i.g.s.e.i.g.j.

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Installer\{66953C33-9A06-4AA2-86BC-B339791EE9DF}\icon_24.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                                            Category:dropped
                                                                                                            Size (bytes):195906
                                                                                                            Entropy (8bit):4.669224805215773
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                                                                            MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                                                                            SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                                                                            SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                                                                            SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                                                                            Malicious:false
                                                                                                            Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):310928
                                                                                                            Entropy (8bit):6.001677789306043
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                                                            MD5:147B71C906F421AC77F534821F80A0C6
                                                                                                            SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                                                            SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                                                            SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: Setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):506008
                                                                                                            Entropy (8bit):6.4284173495366845
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                                                            MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                                                            SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                                                            SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                                                            SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: Setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12224
                                                                                                            Entropy (8bit):6.596101286914553
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                                                            MD5:919E653868A3D9F0C9865941573025DF
                                                                                                            SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                                                            SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                                                            SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12224
                                                                                                            Entropy (8bit):6.640081558424349
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                                                            MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                                                            SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                                                            SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                                                            SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11712
                                                                                                            Entropy (8bit):6.6023398138369505
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                                                            MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                                                            SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                                                            SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                                                            SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.614262942006268
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                                                            MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                                                            SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                                                            SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                                                            SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.654155040985372
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                                                            MD5:94788729C9E7B9C888F4E323A27AB548
                                                                                                            SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                                                            SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                                                            SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15304
                                                                                                            Entropy (8bit):6.548897063441128
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                                                            MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                                                            SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                                                            SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                                                            SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11712
                                                                                                            Entropy (8bit):6.622041192039296
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                                                            MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                                                            SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                                                            SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                                                            SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.730719514840594
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                                                            MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                                                            SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                                                            SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                                                            SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.626458901834476
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                                                            MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                                                            SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                                                            SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                                                            SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12232
                                                                                                            Entropy (8bit):6.577869728469469
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                                                            MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                                                            SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                                                            SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                                                            SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11712
                                                                                                            Entropy (8bit):6.6496318655699795
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                                                            MD5:A038716D7BBD490378B26642C0C18E94
                                                                                                            SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                                                            SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                                                            SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12736
                                                                                                            Entropy (8bit):6.587452239016064
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                                                            MD5:D75144FCB3897425A855A270331E38C9
                                                                                                            SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                                                            SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                                                            SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):14280
                                                                                                            Entropy (8bit):6.658205945107734
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                                                            MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                                                            SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                                                            SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                                                            SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12224
                                                                                                            Entropy (8bit):6.621310788423453
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                                                            MD5:808F1CB8F155E871A33D85510A360E9E
                                                                                                            SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                                                            SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                                                            SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.7263193693903345
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                                                            MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                                                            SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                                                            SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                                                            SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12744
                                                                                                            Entropy (8bit):6.601327134572443
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                                                            MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                                                            SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                                                            SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                                                            SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):14272
                                                                                                            Entropy (8bit):6.519411559704781
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                                                            MD5:E173F3AB46096482C4361378F6DCB261
                                                                                                            SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                                                            SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                                                            SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12232
                                                                                                            Entropy (8bit):6.659079053710614
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                                                            MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                                                            SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                                                            SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                                                            SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11200
                                                                                                            Entropy (8bit):6.7627840671368835
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                                                            MD5:0233F97324AAAA048F705D999244BC71
                                                                                                            SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                                                            SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                                                            SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12224
                                                                                                            Entropy (8bit):6.590253878523919
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                                                            MD5:E1BA66696901CF9B456559861F92786E
                                                                                                            SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                                                            SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                                                            SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.672720452347989
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                                                            MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                                                            SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                                                            SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                                                            SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13760
                                                                                                            Entropy (8bit):6.575688560984027
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                                                            MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                                                            SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                                                            SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                                                            SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12232
                                                                                                            Entropy (8bit):6.70261983917014
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                                                            MD5:D175430EFF058838CEE2E334951F6C9C
                                                                                                            SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                                                            SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                                                            SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12744
                                                                                                            Entropy (8bit):6.599515320379107
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                                                            MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                                                            SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                                                            SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                                                            SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12232
                                                                                                            Entropy (8bit):6.690164913578267
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                                                            MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                                                            SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                                                            SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                                                            SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11720
                                                                                                            Entropy (8bit):6.615761482304143
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                                                            MD5:735636096B86B761DA49EF26A1C7F779
                                                                                                            SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                                                            SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                                                            SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12744
                                                                                                            Entropy (8bit):6.627282858694643
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                                                            MD5:031DC390780AC08F498E82A5604EF1EB
                                                                                                            SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                                                            SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                                                            SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):15816
                                                                                                            Entropy (8bit):6.435326465651674
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                                                            MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                                                            SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                                                            SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                                                            SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12232
                                                                                                            Entropy (8bit):6.5874576656353145
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                                                            MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                                                            SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                                                            SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                                                            SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):13768
                                                                                                            Entropy (8bit):6.645869978118917
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                                                            MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                                                            SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                                                            SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                                                            SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):37333152
                                                                                                            Entropy (8bit):6.632921864082428
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
                                                                                                            MD5:32F56F3E644C4AC8C258022C93E62765
                                                                                                            SHA1:06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
                                                                                                            SHA-256:85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
                                                                                                            SHA-512:CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):5100112
                                                                                                            Entropy (8bit):6.374242928276845
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
                                                                                                            MD5:01589E66D46ABCD9ACB739DA4B542CE4
                                                                                                            SHA1:6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
                                                                                                            SHA-256:9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
                                                                                                            SHA-512:0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1089600
                                                                                                            Entropy (8bit):6.535744457220272
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
                                                                                                            MD5:3AAF57892F2D66F4A4F0575C6194F0F8
                                                                                                            SHA1:D65C9143603940EDE756D7363AB6750F6B45AB4E
                                                                                                            SHA-256:9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
                                                                                                            SHA-512:A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):57488
                                                                                                            Entropy (8bit):6.382541157520703
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                                                            MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                                            SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                                                            SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                                                            SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\iwhgjds.rar

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:RAR archive data, v5
                                                                                                            Category:dropped
                                                                                                            Size (bytes):408254
                                                                                                            Entropy (8bit):7.999571003706862
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:12288:OEQnjoqrzY6hDNK7MBc1Z8yK8XyglEeZ4XFt9AHJLc:bMzhK7Z1Z8yK8Jk72I
                                                                                                            MD5:68DB1E9D9534C62473DB8D2A2CC9D01F
                                                                                                            SHA1:192792150206FEF33334605040ABBDA6FB3FBD5A
                                                                                                            SHA-256:FE865FABA2DB3AB54FACA08345B81FCEF2F0C308E78EAC206D22932BF29AE010
                                                                                                            SHA-512:9FD8939C18FEB389771CB630533EEB3E797B5BCF81086B7DD63F1DB62CC4042440BF21342AB6C140C15D0EE1E58ACBCC181881DBCBF07EABB81D5A351B95F00C
                                                                                                            Malicious:false
                                                                                                            Preview:Rar!........!....../6...U...&Y.3.5?.g..0.y+....._..)".e.j[r...u.s@.N.\......!>x.V....yD.p\{.....S.._>[B.Kg!..'E...LAra..>.....B.....KVd.....z..........V.3!..xr.0....nT......Z..U.....+,.6.8...W.h.^.+5. .*m%..R....p....d.....H[.-......R..@J.gW..p...#....E..:.[....Mg..c..e.:u.........+.E..iI.x...o..$...9dBV43..3...Of.P.......B..Fp.....ec[...M..W3Z.tE..i....-u...e.f..I.>k..E....8.-P...u.Bq.....#y.xQ.5.b..v5.9....-.$..VU...y@.s.....U.Z.ru.c....1.e......31...e.r.CL%.n~....`.....j<x..:.J.....n.J."..M.E...x..W7N..i.u....T....?.Z.<3.....Q..'.n.:5..H.6MV$.].)q=-q.1..~5...c..n..;..=.ij.....|...=......#U...HJ.S...N.U&..o..B.)K$4...k....L..c4j.....(A=.-x.v.*I_0...X.oM....Z.|".m$^.......1n....xI.e..._...c..../S..vG..K5rY.VRI.....B..L.w..pQ..W./.V....8._F..l.aE...E....."2 G.6........>.....\...`.n..tP0(.{...]...6&./1L..0...M.M.....xm.KB......\i&M....5..aZ...[4/.W.V%..h...F.K.c.<u..Td...]..2..~..T8..z.5.D]........r.d...~.Zq_....Sw........C.>3(..*+..MK.KT.

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):566704
                                                                                                            Entropy (8bit):6.494428734965787
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                                                            MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                                                            SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                                                            SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                                                            SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):35656
                                                                                                            Entropy (8bit):6.370522595411868
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
                                                                                                            MD5:D3CAC4D7B35BACAE314F48C374452D71
                                                                                                            SHA1:95D2980786BC36FEC50733B9843FDE9EAB081918
                                                                                                            SHA-256:4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
                                                                                                            SHA-512:21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):22
                                                                                                            Entropy (8bit):3.879664004902594
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                                                            MD5:D9324699E54DC12B3B207C7433E1711C
                                                                                                            SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                                                            SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                                                            SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                                                            Malicious:false
                                                                                                            Preview:@echo off..Start "" %1

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):158968
                                                                                                            Entropy (8bit):6.4238235663554955
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
                                                                                                            MD5:7FB892E2AC9FF6981B6411FF1F932556
                                                                                                            SHA1:861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
                                                                                                            SHA-256:A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
                                                                                                            SHA-512:986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):707200
                                                                                                            Entropy (8bit):6.610520126248797
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
                                                                                                            MD5:1144E36E0F8F739DB55A7CF9D4E21E1B
                                                                                                            SHA1:9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
                                                                                                            SHA-256:65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
                                                                                                            SHA-512:A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\classes.jsa

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):12124160
                                                                                                            Entropy (8bit):4.1175508751036585
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                                                            MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                                                            SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                                                            SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                                                            SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                                                            Malicious:false
                                                                                                            Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.datatransfer.jmod

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Java jmod module version 1.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):51389
                                                                                                            Entropy (8bit):7.916683616123071
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                                                            MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                                                            SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                                                            SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                                                            SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                                                            Malicious:false
                                                                                                            Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.instrument.jmod

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Java jmod module version 1.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):41127
                                                                                                            Entropy (8bit):7.961466748192397
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                                                            MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                                                            SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                                                            SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                                                            SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                                                            Malicious:false
                                                                                                            Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.logging.jmod

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Java jmod module version 1.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):113725
                                                                                                            Entropy (8bit):7.928841651831531
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                                                            MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                                                            SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                                                            SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                                                            SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                                                            Malicious:false
                                                                                                            Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.management.jmod

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Java jmod module version 1.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):896846
                                                                                                            Entropy (8bit):7.923431656723031
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                                                            MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                                                            SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                                                            SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                                                            SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                                                            Malicious:false
                                                                                                            Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):639224
                                                                                                            Entropy (8bit):6.219852228773659
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                                                            MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                                                            SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                                                            SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                                                            SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):98224
                                                                                                            Entropy (8bit):6.452201564717313
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                            MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                            SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                            SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                            SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):37256
                                                                                                            Entropy (8bit):6.297533243519742
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                                                            MD5:135359D350F72AD4BF716B764D39E749
                                                                                                            SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                                                            SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                                                            SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):53576
                                                                                                            Entropy (8bit):6.371750593889357
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
                                                                                                            MD5:E1EEBD44F9F4B52229D6E54155876056
                                                                                                            SHA1:052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
                                                                                                            SHA-256:D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
                                                                                                            SHA-512:235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):144200
                                                                                                            Entropy (8bit):6.592048391646652
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
                                                                                                            MD5:3A0DBC5701D20AA87BE5680111A47662
                                                                                                            SHA1:BC581374CA1EBE8565DB182AC75FB37413220F03
                                                                                                            SHA-256:D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
                                                                                                            SHA-512:4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

                                                                                                            C:\Windows\Installer\5c43b0.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60709004
                                                                                                            Entropy (8bit):7.214353775236846
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                                                            MD5:15D99525D13A5963A340FB7330BFF4F8
                                                                                                            SHA1:4F680FFE01E7BB4F1EE4454E61556F2CF550283D
                                                                                                            SHA-256:B5DF645ADCFC9F55D11DC9A9448A7A9E29373C4364F846E5253BDC6B9FA70DE2
                                                                                                            SHA-512:38494906D6423BC946C5447ABCA2E41980F21A1D10BC4CAAA25461C402805AE2876EE87A3E1E7C55F50AFB07C5BD542DF660C442BA1AFE5C698603D5A477F473
                                                                                                            Malicious:false
                                                                                                            Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                                            C:\Windows\Installer\5c43b3.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60709004
                                                                                                            Entropy (8bit):7.214353775236846
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                                                            MD5:15D99525D13A5963A340FB7330BFF4F8
                                                                                                            SHA1:4F680FFE01E7BB4F1EE4454E61556F2CF550283D
                                                                                                            SHA-256:B5DF645ADCFC9F55D11DC9A9448A7A9E29373C4364F846E5253BDC6B9FA70DE2
                                                                                                            SHA-512:38494906D6423BC946C5447ABCA2E41980F21A1D10BC4CAAA25461C402805AE2876EE87A3E1E7C55F50AFB07C5BD542DF660C442BA1AFE5C698603D5A477F473
                                                                                                            Malicious:false
                                                                                                            Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                                            C:\Windows\Installer\MSI4C2C.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4C9A.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4CDA.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4D0A.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4D69.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1201504
                                                                                                            Entropy (8bit):6.4557937684843365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                                                            MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                                                            SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                                                            SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                                                            SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4DA8.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI4DD8.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1021792
                                                                                                            Entropy (8bit):6.608727172078022
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                                            MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                                            SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                                            SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                                            SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI6D48.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):380520
                                                                                                            Entropy (8bit):6.512348002260683
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                                                            MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                                                            SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                                                            SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                                                            SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI7289.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):215279
                                                                                                            Entropy (8bit):4.9451128892747205
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:EuR9WT71Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykCN:EA9g1Z0vZXJZYDFufyXbJNCcO
                                                                                                            MD5:E9690E12FA919ECB87B04C4A671E6C1B
                                                                                                            SHA1:AE7181A5EFC035CD18A2FEC865FAC47EBE52A4ED
                                                                                                            SHA-256:D185AB4ED946C73B14FCC6A9ECCC97404BD54F2796EDE178E7F14597DD958C32
                                                                                                            SHA-512:DF9A50DBA08E5740A3EB37EB6DD213D95A6CB84288F4936A433F197DF2DDCF07CD6CB683280A8F50FBA5E83A3A2127BB27D4B10BFAF6960370823197B11BA741
                                                                                                            Malicious:false
                                                                                                            Preview:...@IXOS.@.....@iL&Z.@.....@.....@.....@.....@.....@......&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}..Weisx App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{327C9D99-2094-4698-BA9F-6725EDBE02DC}.....@.....@.....@.....@.......@.....@.....@.......@......Weisx App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F};.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}0.21:\Software\Trindo Coorp Sols\Weisx App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}D.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}K.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D-4B25-8

                                                                                                            C:\Windows\Installer\MSI7299.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):787808
                                                                                                            Entropy (8bit):6.693392695195763
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                                                            MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                                                            SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                                                            SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                                                            SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\SourceHash{66953C33-9A06-4AA2-86BC-B339791EE9DF}

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.1620573611953575
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:JSbX72FjHJAGiLIlHVRpMh/7777777777777777777777777vDHFX9xk2p3Xl0i5:JXQI5ct9xkE6F
                                                                                                            MD5:A36D0D6B3691EEA70F5776BB895F6127
                                                                                                            SHA1:72BDBDD089DBED9A66B9FE3FDFC060EE4F966FF1
                                                                                                            SHA-256:F9888E4453D8A2982D68C00F408B22637D014C62F466217DAB8D98E4BF29A39C
                                                                                                            SHA-512:FFB8D77F2CBCC631DC9AADA632B1088E9A16D903EB61C0EB895258BC3B205926A95AE450000F447AF1E68D7F2541E6CE4EDF3F7E23BEADAD4FC2E623A0311CB8
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.5657665268858452
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:P8PhluRc06WXOCFT5+4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:Ohl1UFTsJECUEXe
                                                                                                            MD5:9FAFB187F1A706DDCB8EF69FE66D14B0
                                                                                                            SHA1:EA0EB104DA39ADDDA29364063A9CB6DAF89E3C7E
                                                                                                            SHA-256:64C36868A602EE3CEFEDE8086564CC994AB3CF8CAC0ED95C10DEAB6B92739015
                                                                                                            SHA-512:83C180DBBD2DECA2E78A6D53A011826F90F4B3ADBC8D778786E34EDE1E992A8109007CC55A73B5B6415849A6A55A021973A216F41C3609BB2CFE866DB6013DA9
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):432221
                                                                                                            Entropy (8bit):5.37517193979972
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauW:zTtbmkExhMJCIpEr/
                                                                                                            MD5:FF09E1B70D0258B51C435BBAA762B421
                                                                                                            SHA1:FACF8B46E944B4E019070C3AE0753634F494C3C5
                                                                                                            SHA-256:D2B24085D7A141923A4360B3CBAA1DA69287544AA822C61E7BE852C9695A5A86
                                                                                                            SHA-512:AFF4F2498091654910458FB50C7E9E0BAE1362D3A360FD8A75C600903480D9F1DCA59EBC5FA04F07C35DD378E85FF799726B08218B5924237FBCA3BF0EC2F933
                                                                                                            Malicious:false
                                                                                                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                            C:\Windows\Temp\~DF1590342FABC53BF8.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF197BF53C2C990349.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.2547689814050218
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:XmduzPvcFXOTT5H4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:WdXOTrJECUEXe
                                                                                                            MD5:198EC69205C2BF728AE82721EA872989
                                                                                                            SHA1:E56F4DF7E47365FF7FB9985277BC658AFF44D3E9
                                                                                                            SHA-256:E37E67EB0C0E51BB4D8DA283F55ABFE17D9491C495DE671AEF54452278F68F3F
                                                                                                            SHA-512:E9C5C43A8E73ABCC64DDC0C3BE13305C2DDC0F53DA8AC27432767CA521956C9819CC3E74AC13202FF80B7B69BC74032FA6A71120B7D4DD7E6576E6EC9C065822
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF1E3CBBF801C20A45.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):0.06917685013757988
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOCSGoxk/FyVky6l3X:2F0i8n0itFzDHFX9xkr3X
                                                                                                            MD5:609ABF0BC6FA1401BDD6C4C4FBB04254
                                                                                                            SHA1:835A91B16E4D9BA6DD9C46594B87AC8300EBD100
                                                                                                            SHA-256:F87A384F1B2A16F4EE030458F5666B72ED10D981A376AC207289C054935F042D
                                                                                                            SHA-512:DF5CF9CA178933B83E36B8ED992742B5131520BFA05DBF96B1F9E6FEAB3D6C23CDFB7AB4077F0DA0D1D723DD25B4BF2FFA8D1C92F3CB07C6A3A088EE390272B6
                                                                                                            Malicious:false
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF67ADE1CABAB5AFB6.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF88AA6CBDD9470520.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF901C45E9A0033647.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.2547689814050218
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:XmduzPvcFXOTT5H4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:WdXOTrJECUEXe
                                                                                                            MD5:198EC69205C2BF728AE82721EA872989
                                                                                                            SHA1:E56F4DF7E47365FF7FB9985277BC658AFF44D3E9
                                                                                                            SHA-256:E37E67EB0C0E51BB4D8DA283F55ABFE17D9491C495DE671AEF54452278F68F3F
                                                                                                            SHA-512:E9C5C43A8E73ABCC64DDC0C3BE13305C2DDC0F53DA8AC27432767CA521956C9819CC3E74AC13202FF80B7B69BC74032FA6A71120B7D4DD7E6576E6EC9C065822
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF915E5E2C479A39C3.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.5657665268858452
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:P8PhluRc06WXOCFT5+4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:Ohl1UFTsJECUEXe
                                                                                                            MD5:9FAFB187F1A706DDCB8EF69FE66D14B0
                                                                                                            SHA1:EA0EB104DA39ADDDA29364063A9CB6DAF89E3C7E
                                                                                                            SHA-256:64C36868A602EE3CEFEDE8086564CC994AB3CF8CAC0ED95C10DEAB6B92739015
                                                                                                            SHA-512:83C180DBBD2DECA2E78A6D53A011826F90F4B3ADBC8D778786E34EDE1E992A8109007CC55A73B5B6415849A6A55A021973A216F41C3609BB2CFE866DB6013DA9
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFAC265AB1C8632497.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFAE20EEC156FFA1BC.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.5657665268858452
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:P8PhluRc06WXOCFT5+4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:Ohl1UFTsJECUEXe
                                                                                                            MD5:9FAFB187F1A706DDCB8EF69FE66D14B0
                                                                                                            SHA1:EA0EB104DA39ADDDA29364063A9CB6DAF89E3C7E
                                                                                                            SHA-256:64C36868A602EE3CEFEDE8086564CC994AB3CF8CAC0ED95C10DEAB6B92739015
                                                                                                            SHA-512:83C180DBBD2DECA2E78A6D53A011826F90F4B3ADBC8D778786E34EDE1E992A8109007CC55A73B5B6415849A6A55A021973A216F41C3609BB2CFE866DB6013DA9
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFB76BBA4C56651C36.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFC9722B58CC19CE1B.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.2547689814050218
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:XmduzPvcFXOTT5H4SIkOAECiCy04SCktoaMUXmkkSCk0TTSk:WdXOTrJECUEXe
                                                                                                            MD5:198EC69205C2BF728AE82721EA872989
                                                                                                            SHA1:E56F4DF7E47365FF7FB9985277BC658AFF44D3E9
                                                                                                            SHA-256:E37E67EB0C0E51BB4D8DA283F55ABFE17D9491C495DE671AEF54452278F68F3F
                                                                                                            SHA-512:E9C5C43A8E73ABCC64DDC0C3BE13305C2DDC0F53DA8AC27432767CA521956C9819CC3E74AC13202FF80B7B69BC74032FA6A71120B7D4DD7E6576E6EC9C065822
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFE9C730EA38F4649A.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):73728
                                                                                                            Entropy (8bit):0.13776241777843565
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:qk+YTekkSCkhkOAECiCy04SCktoaMUXLB4:m7ECUEXL
                                                                                                            MD5:7856991A6ABB3AA79228DF7A7566861F
                                                                                                            SHA1:2F67B4A158C36218CE0AA576ECABA1AB5164CA78
                                                                                                            SHA-256:A1511246CEE7B1F7DB1D536D750E6AD167740EB984BE5B70355487B135836BC2
                                                                                                            SHA-512:F16289C4B363F0BCCF6021A55D511E6699103327102D2D28875A9354DE07BE128B199C07959D908BC1998FD61E9384307EDFA177EA6BE24DF0A68280D082F298
                                                                                                            Malicious:false
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            \Device\ConDrv

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):638
                                                                                                            Entropy (8bit):4.751962275036146
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                                                            MD5:15CA959638E74EEC47E0830B90D0696E
                                                                                                            SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                                                            SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                                                            SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                                                            Malicious:false
                                                                                                            Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                                                            Entropy (8bit):7.214353775236846
                                                                                                            TrID:
                                                                                                            • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                                                            File name:setup.msi
                                                                                                            File size:60'709'004 bytes
                                                                                                            MD5:15d99525d13a5963a340fb7330bff4f8
                                                                                                            SHA1:4f680ffe01e7bb4f1ee4454e61556f2cf550283d
                                                                                                            SHA256:b5df645adcfc9f55d11dc9a9448a7a9e29373c4364f846e5253bdc6b9fa70de2
                                                                                                            SHA512:38494906d6423bc946c5447abca2e41980f21a1d10bc4caaa25461c402805ae2876ee87a3e1e7c55f50afb07c5bd542df660c442ba1afe5c698603d5a477f473
                                                                                                            SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                                                            TLSH:4ED76C01B3FA4148F2F75E717EBA85A594BABD521B30C0EF1244A60E1B71BC25BB1763
                                                                                                            File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2025-01-06T15:35:16.944702+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.32.152443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 6, 2025 15:35:16.418839931 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.418880939 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:16.419048071 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.423437119 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.423465967 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:16.889305115 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:16.889399052 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.939982891 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.940037966 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:16.940480947 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:16.940531015 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.944571018 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.944648027 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:16.944685936 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:17.418523073 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:17.418591022 CET44349730104.21.32.152192.168.2.4
                                                                                                            Jan 6, 2025 15:35:17.418679953 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:17.419223070 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:17.419223070 CET49730443192.168.2.4104.21.32.152
                                                                                                            Jan 6, 2025 15:35:17.419249058 CET49730443192.168.2.4104.21.32.152

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 6, 2025 15:35:16.373290062 CET4925253192.168.2.41.1.1.1
                                                                                                            Jan 6, 2025 15:35:16.409969091 CET53492521.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 6, 2025 15:35:16.373290062 CET192.168.2.41.1.1.10x72b5Standard query (0)palmsizehelis.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 6, 2025 15:35:16.409969091 CET1.1.1.1192.168.2.40x72b5No error (0)palmsizehelis.com104.21.32.152A (IP address)IN (0x0001)false
                                                                                                            Jan 6, 2025 15:35:16.409969091 CET1.1.1.1192.168.2.40x72b5No error (0)palmsizehelis.com172.67.223.229A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • palmsizehelis.com

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449730104.21.32.1524434176C:\Windows\SysWOW64\msiexec.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-06 14:35:16 UTC196OUTPOST /updater2.php HTTP/1.1
                                                                                                            Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                                                            User-Agent: AdvancedInstaller
                                                                                                            Host: palmsizehelis.com
                                                                                                            Content-Length: 71
                                                                                                            Cache-Control: no-cache
                                                                                                            2025-01-06 14:35:16 UTC71OUTData Raw: 44 61 74 65 3d 30 36 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 30 39 25 33 41 33 35 25 33 41 31 35 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                                                            Data Ascii: Date=06%2F01%2F2025&Time=09%3A35%3A15&BuildVersion=8.9.9&SoroqVins=True
                                                                                                            2025-01-06 14:35:17 UTC837INHTTP/1.1 500 Internal Server Error
                                                                                                            Date: Mon, 06 Jan 2025 14:35:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-store
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ggv7UFw4Z0nlfPyLez6%2FDXvztSaNSxPYje8aPkKhziAovdNSQW9gkHRpVo14y2i7cXC4D9NiJEuRHBgluu76esJhbIGXBuHW%2FVFA%2FLamC5m5upSJP49ri3CHvk8XuePxlGHicQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8fdc6f0739fd8ce8-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1890&min_rtt=1888&rtt_var=713&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=927&delivery_rate=1528795&cwnd=239&unsent_bytes=0&cid=7acbd64c5c70188c&ts=532&x=0"
                                                                                                            2025-01-06 14:35:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:09:35:04
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                                                                            Imagebase:0x7ff76e7c0000
                                                                                                            File size:69'632 bytes
                                                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:09:35:04
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                            Imagebase:0x7ff76e7c0000
                                                                                                            File size:69'632 bytes
                                                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:09:35:07
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 4051C921A584A510BE00D8667A891A09
                                                                                                            Imagebase:0xe90000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:09:35:17
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss7301.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi72EE.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr72EF.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr72F0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                                                            Imagebase:0x2d0000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:09:35:17
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
                                                                                                            Imagebase:0x7ff79f5c0000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"
                                                                                                            Imagebase:0x7ff6017b0000
                                                                                                            File size:57'488 bytes
                                                                                                            MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"
                                                                                                            Imagebase:0x7ff758d30000
                                                                                                            File size:35'656 bytes
                                                                                                            MD5 hash:D3CAC4D7B35BACAE314F48C374452D71
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:09:35:24
                                                                                                            Start date:06/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 07CB1B50 Relevance: 4.0, Strings: 3, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $fq$$fq$$fq
                                                                                                              • API String ID: 0-837900676
                                                                                                              • Opcode ID: a2672b6d3c801f9a2f33d201854b05003a25f16e3f5062dbd6abbb61781773d0
                                                                                                              • Instruction ID: fee4bba46065935a85ce580656518defa655acbdbc1a860b9a5a8a65bcd3caf4
                                                                                                              • Opcode Fuzzy Hash: a2672b6d3c801f9a2f33d201854b05003a25f16e3f5062dbd6abbb61781773d0
                                                                                                              • Instruction Fuzzy Hash: 686135B170021E9FDB349F69D4A06EA7BE6AF85210F18C06AF905CB291DB31DA41C7A1
                                                                                                              Function 07CB1B3F Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $fq$$fq
                                                                                                              • API String ID: 0-2537786760
                                                                                                              • Opcode ID: e52561d4a39d36a92d7801eb9f7a32dc8fa7ac837957fdeb2e4cd3b59e15c0a1
                                                                                                              • Instruction ID: d54a4948826237dc8b8b2f861bd550e0c64230f890d67017bc099f70e78d25c8
                                                                                                              • Opcode Fuzzy Hash: e52561d4a39d36a92d7801eb9f7a32dc8fa7ac837957fdeb2e4cd3b59e15c0a1
                                                                                                              • Instruction Fuzzy Hash: 42314BF0A0420EDFDB34CE1AC5A46EA77F5BF45251F1C80A6F8058B291D735DA85CB91
                                                                                                              Function 03608478 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c6c575c2dd8dd8e7e864fbda984029aab5715469db3f2af4352959c4b743525
                                                                                                              • Instruction ID: 503b24500902c0df62d2ccc7556833a74ac8a3135b4865d520a4dc5352dadb2e
                                                                                                              • Opcode Fuzzy Hash: 3c6c575c2dd8dd8e7e864fbda984029aab5715469db3f2af4352959c4b743525
                                                                                                              • Instruction Fuzzy Hash: B5A19435A00218CFDB18DFA4C585AAEBBF2FF84310F154559D406AF3A9DB74AD89CB40
                                                                                                              Function 03608D36 Relevance: .2, Instructions: 188COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0109083ff7b0be82f275a23f28e59ce2ebbed252d3d8636f77b266076285c86
                                                                                                              • Instruction ID: 5f638704e9cee84cbf426e6eedfa6b49729a8d252d7d1b35f4a49604a82e3a8d
                                                                                                              • Opcode Fuzzy Hash: f0109083ff7b0be82f275a23f28e59ce2ebbed252d3d8636f77b266076285c86
                                                                                                              • Instruction Fuzzy Hash: F3717E30A00248DFDB18DFA5D594BAEBBF6BF84344F198469D412AB3A5DF349C46CB41
                                                                                                              Function 03608BC8 Relevance: .2, Instructions: 187COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55b92b7fb09542fa5b58335f5d5590043d8f1be0fdb2a813b480066822cdd8e6
                                                                                                              • Instruction ID: 03cc73221c65b0894a789bfadc03ac20c601ada4d1272638d9e524731b6ea249
                                                                                                              • Opcode Fuzzy Hash: 55b92b7fb09542fa5b58335f5d5590043d8f1be0fdb2a813b480066822cdd8e6
                                                                                                              • Instruction Fuzzy Hash: E371BE70A002498FCB18DF68C984A9EBBF6FF85304F1885ADD455DB3A5DB71AC46CB40
                                                                                                              Function 03608959 Relevance: .1, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bf6fc5730fc9b2616e9fc1fe4b90e927fb2899628205b4dee56933869681058
                                                                                                              • Instruction ID: fcbbadbe38188c3d63cff257563feaebab448c7988a590c6173a3533b836808b
                                                                                                              • Opcode Fuzzy Hash: 0bf6fc5730fc9b2616e9fc1fe4b90e927fb2899628205b4dee56933869681058
                                                                                                              • Instruction Fuzzy Hash: 63519C74A00244CFDB18DF24C599AAE7BB6BF88750F184069E416EB3E0CF389C85DB90
                                                                                                              Function 03608BB3 Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bff69fed21bae19be4ce5c8c3513b8c5bf1ded0da2aa912041bbceec496e1fa5
                                                                                                              • Instruction ID: 9e4344870b6c773c91cb4c94a937a8e912939e70ad0b4475656420078c05e5a4
                                                                                                              • Opcode Fuzzy Hash: bff69fed21bae19be4ce5c8c3513b8c5bf1ded0da2aa912041bbceec496e1fa5
                                                                                                              • Instruction Fuzzy Hash: 03417F70A002489FDB18DFA9C5947AEBBF6FF85340F19856DD402AB3A5DB70AC85CB40
                                                                                                              Function 03603D10 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5f7316a2605a7fa550bdb4370bd82dc5a8013ba6d515e3a90ac66cc96c7f228
                                                                                                              • Instruction ID: e59a6e1dca49df7bcbe7b05052cfe14817fa362e3780d3c603645e8374a58df7
                                                                                                              • Opcode Fuzzy Hash: f5f7316a2605a7fa550bdb4370bd82dc5a8013ba6d515e3a90ac66cc96c7f228
                                                                                                              • Instruction Fuzzy Hash: DF414974A006059FCB0ACF59C5959AEFBB5FF48310B25829AD911AB3A4C736FC51CBA0
                                                                                                              Function 03603A80 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ee885d3b99fe0e581170953ca5222cbc7c2f1e7771350f6312544a7eabb53e5c
                                                                                                              • Instruction ID: a62e9fce98fb8c861ec69a47fefdbb0a868756209e9173e865ad9b2cd5596822
                                                                                                              • Opcode Fuzzy Hash: ee885d3b99fe0e581170953ca5222cbc7c2f1e7771350f6312544a7eabb53e5c
                                                                                                              • Instruction Fuzzy Hash: 42316F387096418F83A9DB29806162BBBF2FB95246325C5ADE08ACF795DB20FC078715
                                                                                                              Function 034ED006 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810050145.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_34ed000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 798b333bf93084faf5ae9528aae9e85c44de800fb3dc1bd6e26e1d9e81b12551
                                                                                                              • Instruction ID: 89125ba5dfc2f2696f675ab5efff716b5e5bcec6d2a73d6a7ab9dce2f96f815f
                                                                                                              • Opcode Fuzzy Hash: 798b333bf93084faf5ae9528aae9e85c44de800fb3dc1bd6e26e1d9e81b12551
                                                                                                              • Instruction Fuzzy Hash: AE01ED7240E3C09ED7128B258994B52BFB8DF57229F1D81DBD9888F2A3C2695849C772
                                                                                                              Function 034ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810050145.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_34ed000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8fe8efdba78d1fd72d2b3e427847537942906c78ca741ffc88c2b66e0791500b
                                                                                                              • Instruction ID: 315aa0ee764d72ff169a10ed0128f65f5ace15ce01968d9a00b0823ca37de25b
                                                                                                              • Opcode Fuzzy Hash: 8fe8efdba78d1fd72d2b3e427847537942906c78ca741ffc88c2b66e0791500b
                                                                                                              • Instruction Fuzzy Hash: C901DF728083409EE7208B29CDC0B67BF98DF4232AF1CC46BED584E242C6799842C6B5
                                                                                                              Function 036088F4 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1810309217.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_3600000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 619ab42ad803744d58fc7a795bc2c230e4650c304ab94417cdafe72a7a975a4b
                                                                                                              • Instruction ID: 45050494b3ac5e5046519be72c09438013862eaf1cf235d9d176f669965410a0
                                                                                                              • Opcode Fuzzy Hash: 619ab42ad803744d58fc7a795bc2c230e4650c304ab94417cdafe72a7a975a4b
                                                                                                              • Instruction Fuzzy Hash: EEF0657474020A8FDB08DBA8D595B6F3BB2EF40340F108858E1529F395DF789D498B90

                                                                                                              Non-executed Functions

                                                                                                              Function 07CB1658 Relevance: 15.3, Strings: 12, Instructions: 274COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 84Yk$84Yk$tPfq$tPfq$tPfq$tPfq$$fq$$fq$$fq$$fq$Qk$Qk
                                                                                                              • API String ID: 0-2783022918
                                                                                                              • Opcode ID: 93c70e49d7c4b590a6ccb0482d1704fc7260ba183c44f20b6e560a3fbe76e104
                                                                                                              • Instruction ID: 0e1e22d40fbf446d3bc92b0650672d3ce8e30689264f43f40b50b6eaf74d6902
                                                                                                              • Opcode Fuzzy Hash: 93c70e49d7c4b590a6ccb0482d1704fc7260ba183c44f20b6e560a3fbe76e104
                                                                                                              • Instruction Fuzzy Hash: 08916DB17043499FD7218B69D8606E6BBE6EF86210F1D80ABF544CF291CF359D41C792
                                                                                                              Function 07CB0898 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'fq$4'fq$$fq$$fq$$fq
                                                                                                              • API String ID: 0-3759051638
                                                                                                              • Opcode ID: 60ad0f9dd2b6090b2c93726ec9a99a4cec8dd343579fd901dc102b08fd575af1
                                                                                                              • Instruction ID: 847119a3596c2a31a42f0112656369fd92bb53c6fa00961570977da3ac06aa32
                                                                                                              • Opcode Fuzzy Hash: 60ad0f9dd2b6090b2c93726ec9a99a4cec8dd343579fd901dc102b08fd575af1
                                                                                                              • Instruction Fuzzy Hash: A031F8B1F15206CFEF348B7A84806EBBBA6EB85250F14806FE54587241DB35CAC1C791
                                                                                                              Function 07CB0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4Xk$4Xk$$fq$$fq$$fq
                                                                                                              • API String ID: 0-1135357455
                                                                                                              • Opcode ID: 4cb0e99a6161af93c3b79e4b30d2054e03eef8ed706087c26c221671117de761
                                                                                                              • Instruction ID: 67abaf69d53b0abc0f3672555dbf42cc0f8927acadb73b2798e8f37e06490c2e
                                                                                                              • Opcode Fuzzy Hash: 4cb0e99a6161af93c3b79e4b30d2054e03eef8ed706087c26c221671117de761
                                                                                                              • Instruction Fuzzy Hash: 40113AF13141569BDB34466A98A16BBB7D68FD1650F14803AF541C72C2DF35DD81C3B1
                                                                                                              Function 07CB04D1 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1814773413.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'fq$4'fq$$fq$$fq
                                                                                                              • API String ID: 0-2206495126
                                                                                                              • Opcode ID: 171fc3b4219a15fa27c11290105e9a478ed1cc02a4c9354d86090ea5bfa81504
                                                                                                              • Instruction ID: 438e05d505473fdd89eebfbfaa08e4b6a68cd514ab3ca9b348b471850e811844
                                                                                                              • Opcode Fuzzy Hash: 171fc3b4219a15fa27c11290105e9a478ed1cc02a4c9354d86090ea5bfa81504
                                                                                                              • Instruction Fuzzy Hash: C601266170A7890FCB27166918A01F76FB75FC3510B1A00DBD081CF683CD6A4D8A83A7

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:3.4%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:1.7%
                                                                                                              Total number of Nodes:700
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 2502 7ff6017b72c0 2503 7ff6017b72e0 2502->2503 2504 7ff6017b72d3 2502->2504 2506 7ff6017b1e80 2504->2506 2507 7ff6017b1e93 2506->2507 2509 7ff6017b1eb7 2506->2509 2508 7ff6017b1ed8 _invalid_parameter_noinfo_noreturn 2507->2508 2507->2509 2509->2503 2952 7ff6017b2700 2953 7ff6017b2710 2952->2953 2965 7ff6017b2bd8 2953->2965 2955 7ff6017b2ecc 7 API calls 2956 7ff6017b27b5 2955->2956 2957 7ff6017b2734 _RTC_Initialize 2963 7ff6017b2797 2957->2963 2973 7ff6017b2e64 InitializeSListHead 2957->2973 2963->2955 2964 7ff6017b27a5 2963->2964 2966 7ff6017b2be9 2965->2966 2971 7ff6017b2c1b 2965->2971 2967 7ff6017b2c58 2966->2967 2970 7ff6017b2bee __scrt_release_startup_lock 2966->2970 2968 7ff6017b2ecc 7 API calls 2967->2968 2969 7ff6017b2c62 2968->2969 2970->2971 2972 7ff6017b2c0b _initialize_onexit_table 2970->2972 2971->2957 2972->2971 2513 7ff6017b1d39 2514 7ff6017b1d40 2513->2514 2514->2514 2517 7ff6017b18a0 2514->2517 2523 7ff6017b2040 2514->2523 2516 7ff6017b1d76 2519 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2516->2519 2517->2516 2518 7ff6017b1dd0 2517->2518 2520 7ff6017b20c0 21 API calls 2517->2520 2522 7ff6017b1450 6 API calls 2518->2522 2521 7ff6017b1d87 2519->2521 2520->2517 2522->2516 2524 7ff6017b20a2 2523->2524 2527 7ff6017b2063 BuildCatchObjectHelperInternal 2523->2527 2528 7ff6017b2230 2524->2528 2526 7ff6017b20b5 2526->2517 2527->2517 2529 7ff6017b225e 2528->2529 2530 7ff6017b23ab 2528->2530 2532 7ff6017b22b1 2529->2532 2535 7ff6017b22be 2529->2535 2537 7ff6017b22e6 2529->2537 2531 7ff6017b17e0 21 API calls 2530->2531 2533 7ff6017b23b0 2531->2533 2532->2533 2532->2535 2536 7ff6017b1720 Concurrency::cancel_current_task 4 API calls 2533->2536 2534 7ff6017b2690 5 API calls 2541 7ff6017b22cf BuildCatchObjectHelperInternal 2534->2541 2535->2534 2538 7ff6017b23b6 2536->2538 2540 7ff6017b2690 5 API calls 2537->2540 2537->2541 2539 7ff6017b2364 _invalid_parameter_noinfo_noreturn 2542 7ff6017b2357 BuildCatchObjectHelperInternal 2539->2542 2540->2541 2541->2539 2541->2542 2542->2526 2546 7ff6017b733c _seh_filter_exe 2995 7ff6017b3090 2996 7ff6017b30c4 2995->2996 2997 7ff6017b30a8 2995->2997 2997->2996 3002 7ff6017b41c0 2997->3002 3001 7ff6017b30e2 3003 7ff6017b43d0 ExFilterRethrow 10 API calls 3002->3003 3004 7ff6017b30d6 3003->3004 3005 7ff6017b41d4 3004->3005 3006 7ff6017b43d0 ExFilterRethrow 10 API calls 3005->3006 3007 7ff6017b41dd 3006->3007 3007->3001 2547 7ff6017b27d0 2551 7ff6017b3074 SetUnhandledExceptionFilter 2547->2551 2552 7ff6017b1550 2555 7ff6017b3d50 2552->2555 2556 7ff6017b3d5f free 2555->2556 2557 7ff6017b1567 2555->2557 2556->2557 2977 7ff6017b1510 2978 7ff6017b3cc0 __std_exception_copy 2 API calls 2977->2978 2979 7ff6017b1539 2978->2979 2980 7ff6017b7090 2981 7ff6017b70d2 __GSHandlerCheckCommon 2980->2981 2982 7ff6017b70fa 2981->2982 2984 7ff6017b3d78 2981->2984 2985 7ff6017b3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2984->2985 2986 7ff6017b3e99 2985->2986 2987 7ff6017b3e64 RtlUnwindEx 2985->2987 2986->2982 2987->2985 3011 7ff6017b1590 3012 7ff6017b3d50 __std_exception_destroy free 3011->3012 3013 7ff6017b15b2 3012->3013 3014 7ff6017b7411 3015 7ff6017b7495 3014->3015 3016 7ff6017b7429 3014->3016 3016->3015 3017 7ff6017b43d0 ExFilterRethrow 10 API calls 3016->3017 3018 7ff6017b7476 3017->3018 3019 7ff6017b43d0 ExFilterRethrow 10 API calls 3018->3019 3020 7ff6017b748b terminate 3019->3020 3020->3015 2558 7ff6017b48c7 abort 2559 7ff6017b1ce0 2560 7ff6017b2688 5 API calls 2559->2560 2561 7ff6017b1cea gethostname 2560->2561 2562 7ff6017b1d08 2561->2562 2563 7ff6017b1da9 WSAGetLastError 2561->2563 2565 7ff6017b2040 22 API calls 2562->2565 2564 7ff6017b1450 6 API calls 2563->2564 2566 7ff6017b1d76 2564->2566 2569 7ff6017b18a0 2565->2569 2567 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2566->2567 2568 7ff6017b1d87 2567->2568 2569->2566 2570 7ff6017b1dd0 2569->2570 2571 7ff6017b20c0 21 API calls 2569->2571 2572 7ff6017b1450 6 API calls 2570->2572 2571->2569 2572->2566 2573 7ff6017b7260 2574 7ff6017b7280 2573->2574 2575 7ff6017b7273 2573->2575 2576 7ff6017b1e80 _invalid_parameter_noinfo_noreturn 2575->2576 2576->2574 2577 7ff6017b5860 2606 7ff6017b43d0 2577->2606 2579 7ff6017b58ad 2580 7ff6017b43d0 ExFilterRethrow 10 API calls 2579->2580 2581 7ff6017b58bb __except_validate_context_record 2580->2581 2582 7ff6017b43d0 ExFilterRethrow 10 API calls 2581->2582 2583 7ff6017b5914 2582->2583 2584 7ff6017b43d0 ExFilterRethrow 10 API calls 2583->2584 2585 7ff6017b591d 2584->2585 2586 7ff6017b43d0 ExFilterRethrow 10 API calls 2585->2586 2587 7ff6017b5926 2586->2587 2609 7ff6017b3b18 2587->2609 2590 7ff6017b43d0 ExFilterRethrow 10 API calls 2591 7ff6017b5959 2590->2591 2592 7ff6017b5aa9 abort 2591->2592 2593 7ff6017b5991 2591->2593 2616 7ff6017b3b54 2593->2616 2595 7ff6017b43d0 ExFilterRethrow 10 API calls 2596 7ff6017b5a6d 2595->2596 2597 7ff6017b43d0 ExFilterRethrow 10 API calls 2596->2597 2599 7ff6017b5a76 2597->2599 2601 7ff6017b43d0 ExFilterRethrow 10 API calls 2599->2601 2603 7ff6017b5a7f 2601->2603 2602 7ff6017b5a5a __GSHandlerCheck_EH 2602->2595 2604 7ff6017b43d0 ExFilterRethrow 10 API calls 2603->2604 2605 7ff6017b5a8e 2604->2605 2628 7ff6017b43ec 2606->2628 2608 7ff6017b43d9 2608->2579 2610 7ff6017b43d0 ExFilterRethrow 10 API calls 2609->2610 2611 7ff6017b3b29 2610->2611 2612 7ff6017b3b34 2611->2612 2613 7ff6017b43d0 ExFilterRethrow 10 API calls 2611->2613 2614 7ff6017b43d0 ExFilterRethrow 10 API calls 2612->2614 2613->2612 2615 7ff6017b3b45 2614->2615 2615->2590 2615->2591 2617 7ff6017b43d0 ExFilterRethrow 10 API calls 2616->2617 2618 7ff6017b3b66 2617->2618 2619 7ff6017b3ba1 abort 2618->2619 2620 7ff6017b43d0 ExFilterRethrow 10 API calls 2618->2620 2622 7ff6017b3b71 2620->2622 2621 7ff6017b3b8d 2623 7ff6017b43d0 ExFilterRethrow 10 API calls 2621->2623 2622->2619 2622->2621 2624 7ff6017b3b92 2623->2624 2624->2602 2625 7ff6017b4104 2624->2625 2626 7ff6017b43d0 ExFilterRethrow 10 API calls 2625->2626 2627 7ff6017b4112 2626->2627 2627->2602 2629 7ff6017b4404 2628->2629 2630 7ff6017b440b GetLastError 2628->2630 2629->2608 2642 7ff6017b6678 2630->2642 2643 7ff6017b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2642->2643 2644 7ff6017b669f TlsGetValue 2643->2644 2649 7ff6017b195f 2650 7ff6017b196d 2649->2650 2650->2650 2651 7ff6017b1a23 2650->2651 2665 7ff6017b1ee0 2650->2665 2653 7ff6017b2230 22 API calls 2651->2653 2654 7ff6017b1a67 BuildCatchObjectHelperInternal 2651->2654 2653->2654 2655 7ff6017b1da2 _invalid_parameter_noinfo_noreturn 2654->2655 2657 7ff6017b18a0 2654->2657 2656 7ff6017b1da9 WSAGetLastError 2655->2656 2658 7ff6017b1450 6 API calls 2656->2658 2659 7ff6017b1dd0 2657->2659 2661 7ff6017b1d76 2657->2661 2662 7ff6017b20c0 21 API calls 2657->2662 2658->2661 2664 7ff6017b1450 6 API calls 2659->2664 2660 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2663 7ff6017b1d87 2660->2663 2661->2660 2662->2657 2664->2661 2666 7ff6017b1f04 BuildCatchObjectHelperInternal 2665->2666 2670 7ff6017b1f25 2665->2670 2666->2651 2667 7ff6017b2031 2668 7ff6017b17e0 21 API calls 2667->2668 2669 7ff6017b2036 2668->2669 2673 7ff6017b1720 Concurrency::cancel_current_task 4 API calls 2669->2673 2670->2667 2672 7ff6017b1fa9 2670->2672 2674 7ff6017b1f74 2670->2674 2671 7ff6017b2690 5 API calls 2678 7ff6017b1f92 BuildCatchObjectHelperInternal 2671->2678 2676 7ff6017b2690 5 API calls 2672->2676 2672->2678 2677 7ff6017b203c 2673->2677 2674->2669 2674->2671 2675 7ff6017b202a _invalid_parameter_noinfo_noreturn 2675->2667 2676->2678 2678->2666 2678->2675 3024 7ff6017b4024 3031 7ff6017b642c 3024->3031 3027 7ff6017b4031 3043 7ff6017b6714 3031->3043 3034 7ff6017b402d 3034->3027 3036 7ff6017b44ac 3034->3036 3035 7ff6017b6460 __vcrt_uninitialize_locks DeleteCriticalSection 3035->3034 3048 7ff6017b65e8 3036->3048 3044 7ff6017b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 3043->3044 3045 7ff6017b674a 3044->3045 3046 7ff6017b675f InitializeCriticalSectionAndSpinCount 3045->3046 3047 7ff6017b6444 3045->3047 3046->3047 3047->3034 3047->3035 3049 7ff6017b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 3048->3049 3050 7ff6017b660d TlsAlloc 3049->3050 3052 7ff6017b1b18 _time64 3053 7ff6017b1b34 3052->3053 3054 7ff6017b1bf1 3053->3054 3055 7ff6017b1ee0 22 API calls 3053->3055 3056 7ff6017b2230 22 API calls 3054->3056 3057 7ff6017b1c34 BuildCatchObjectHelperInternal 3054->3057 3055->3054 3056->3057 3058 7ff6017b1da2 _invalid_parameter_noinfo_noreturn 3057->3058 3060 7ff6017b18a0 3057->3060 3059 7ff6017b1da9 WSAGetLastError 3058->3059 3061 7ff6017b1450 6 API calls 3059->3061 3062 7ff6017b1dd0 3060->3062 3064 7ff6017b1d76 3060->3064 3065 7ff6017b20c0 21 API calls 3060->3065 3061->3064 3067 7ff6017b1450 6 API calls 3062->3067 3063 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 3066 7ff6017b1d87 3063->3066 3064->3063 3065->3060 3067->3064 2679 7ff6017b7559 2682 7ff6017b4158 2679->2682 2683 7ff6017b4170 2682->2683 2684 7ff6017b4182 2682->2684 2683->2684 2685 7ff6017b4178 2683->2685 2686 7ff6017b43d0 ExFilterRethrow 10 API calls 2684->2686 2688 7ff6017b43d0 ExFilterRethrow 10 API calls 2685->2688 2691 7ff6017b4180 2685->2691 2687 7ff6017b4187 2686->2687 2689 7ff6017b43d0 ExFilterRethrow 10 API calls 2687->2689 2687->2691 2690 7ff6017b41a7 2688->2690 2689->2691 2692 7ff6017b43d0 ExFilterRethrow 10 API calls 2690->2692 2693 7ff6017b41b4 terminate 2692->2693 2694 7ff6017b74d6 2695 7ff6017b3b54 11 API calls 2694->2695 2697 7ff6017b74e9 2695->2697 2696 7ff6017b751a __GSHandlerCheck_EH 2698 7ff6017b43d0 ExFilterRethrow 10 API calls 2696->2698 2697->2696 2702 7ff6017b4104 10 API calls 2697->2702 2699 7ff6017b752e 2698->2699 2700 7ff6017b43d0 ExFilterRethrow 10 API calls 2699->2700 2701 7ff6017b753b 2700->2701 2703 7ff6017b43d0 ExFilterRethrow 10 API calls 2701->2703 2702->2696 2704 7ff6017b7548 2703->2704 3068 7ff6017b191a 3069 7ff6017b194d 3068->3069 3071 7ff6017b18a0 3068->3071 3070 7ff6017b20c0 21 API calls 3069->3070 3070->3071 3072 7ff6017b1d76 3071->3072 3073 7ff6017b1dd0 3071->3073 3075 7ff6017b20c0 21 API calls 3071->3075 3074 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 3072->3074 3077 7ff6017b1450 6 API calls 3073->3077 3076 7ff6017b1d87 3074->3076 3075->3071 3077->3072 3078 7ff6017b291a 3079 7ff6017b3020 __scrt_is_managed_app GetModuleHandleW 3078->3079 3080 7ff6017b2921 3079->3080 3081 7ff6017b2960 _exit 3080->3081 3082 7ff6017b2925 3080->3082 2712 7ff6017b2970 2715 7ff6017b2da0 2712->2715 2716 7ff6017b2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2715->2716 2717 7ff6017b2979 2715->2717 2716->2717 3083 7ff6017b7130 3084 7ff6017b7168 __GSHandlerCheckCommon 3083->3084 3085 7ff6017b7194 3084->3085 3087 7ff6017b3c00 3084->3087 3088 7ff6017b43d0 ExFilterRethrow 10 API calls 3087->3088 3089 7ff6017b3c42 3088->3089 3090 7ff6017b43d0 ExFilterRethrow 10 API calls 3089->3090 3091 7ff6017b3c4f 3090->3091 3092 7ff6017b43d0 ExFilterRethrow 10 API calls 3091->3092 3093 7ff6017b3c58 __GSHandlerCheck_EH 3092->3093 3094 7ff6017b5414 __GSHandlerCheck_EH 31 API calls 3093->3094 3095 7ff6017b3ca9 3094->3095 3095->3085 3099 7ff6017b43b0 3100 7ff6017b43b9 3099->3100 3101 7ff6017b43ca 3099->3101 3100->3101 3102 7ff6017b43c5 free 3100->3102 3102->3101 2718 7ff6017b756f 2719 7ff6017b43d0 ExFilterRethrow 10 API calls 2718->2719 2720 7ff6017b757d 2719->2720 2721 7ff6017b7588 2720->2721 2722 7ff6017b43d0 ExFilterRethrow 10 API calls 2720->2722 2722->2721 2723 7ff6017b5f75 2727 7ff6017b5e35 __GSHandlerCheck_EH 2723->2727 2724 7ff6017b5f92 2725 7ff6017b43d0 ExFilterRethrow 10 API calls 2724->2725 2726 7ff6017b5f97 2725->2726 2728 7ff6017b5fa2 2726->2728 2729 7ff6017b43d0 ExFilterRethrow 10 API calls 2726->2729 2727->2724 2733 7ff6017b3bd0 2727->2733 2730 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2728->2730 2729->2728 2731 7ff6017b5fb5 2730->2731 2734 7ff6017b43d0 ExFilterRethrow 10 API calls 2733->2734 2735 7ff6017b3bde 2734->2735 2735->2727 2736 7ff6017b7372 2737 7ff6017b43d0 ExFilterRethrow 10 API calls 2736->2737 2738 7ff6017b7389 2737->2738 2739 7ff6017b43d0 ExFilterRethrow 10 API calls 2738->2739 2740 7ff6017b73a4 2739->2740 2741 7ff6017b43d0 ExFilterRethrow 10 API calls 2740->2741 2742 7ff6017b73ad 2741->2742 2747 7ff6017b5414 2742->2747 2745 7ff6017b43d0 ExFilterRethrow 10 API calls 2746 7ff6017b73f8 2745->2746 2748 7ff6017b5443 __except_validate_context_record 2747->2748 2749 7ff6017b43d0 ExFilterRethrow 10 API calls 2748->2749 2750 7ff6017b5448 2749->2750 2751 7ff6017b5498 2750->2751 2756 7ff6017b55b2 __GSHandlerCheck_EH 2750->2756 2762 7ff6017b5551 2750->2762 2752 7ff6017b559f 2751->2752 2760 7ff6017b54f3 __GSHandlerCheck_EH 2751->2760 2751->2762 2787 7ff6017b3678 2752->2787 2753 7ff6017b55f7 2753->2762 2794 7ff6017b49a4 2753->2794 2756->2753 2756->2762 2791 7ff6017b3bbc 2756->2791 2757 7ff6017b56a2 abort 2759 7ff6017b5543 2763 7ff6017b5cf0 2759->2763 2760->2757 2760->2759 2762->2745 2847 7ff6017b3ba8 2763->2847 2765 7ff6017b5d40 __GSHandlerCheck_EH 2766 7ff6017b5d72 2765->2766 2767 7ff6017b5d5b 2765->2767 2769 7ff6017b43d0 ExFilterRethrow 10 API calls 2766->2769 2768 7ff6017b43d0 ExFilterRethrow 10 API calls 2767->2768 2770 7ff6017b5d60 2768->2770 2771 7ff6017b5d77 2769->2771 2772 7ff6017b5fd0 abort 2770->2772 2773 7ff6017b5d6a 2770->2773 2771->2773 2774 7ff6017b43d0 ExFilterRethrow 10 API calls 2771->2774 2775 7ff6017b43d0 ExFilterRethrow 10 API calls 2773->2775 2776 7ff6017b5d82 2774->2776 2785 7ff6017b5d96 __GSHandlerCheck_EH 2775->2785 2777 7ff6017b43d0 ExFilterRethrow 10 API calls 2776->2777 2777->2773 2778 7ff6017b5f92 2779 7ff6017b43d0 ExFilterRethrow 10 API calls 2778->2779 2780 7ff6017b5f97 2779->2780 2781 7ff6017b5fa2 2780->2781 2782 7ff6017b43d0 ExFilterRethrow 10 API calls 2780->2782 2783 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2781->2783 2782->2781 2784 7ff6017b5fb5 2783->2784 2784->2762 2785->2778 2786 7ff6017b3bd0 __GSHandlerCheck_EH 10 API calls 2785->2786 2786->2785 2788 7ff6017b368a 2787->2788 2789 7ff6017b5cf0 __GSHandlerCheck_EH 19 API calls 2788->2789 2790 7ff6017b36a5 2789->2790 2790->2762 2792 7ff6017b43d0 ExFilterRethrow 10 API calls 2791->2792 2793 7ff6017b3bc5 2792->2793 2793->2753 2795 7ff6017b4a01 __GSHandlerCheck_EH 2794->2795 2796 7ff6017b4a20 2795->2796 2797 7ff6017b4a09 2795->2797 2799 7ff6017b43d0 ExFilterRethrow 10 API calls 2796->2799 2798 7ff6017b43d0 ExFilterRethrow 10 API calls 2797->2798 2807 7ff6017b4a0e 2798->2807 2800 7ff6017b4a25 2799->2800 2802 7ff6017b43d0 ExFilterRethrow 10 API calls 2800->2802 2800->2807 2801 7ff6017b4e99 abort 2803 7ff6017b4a30 2802->2803 2804 7ff6017b43d0 ExFilterRethrow 10 API calls 2803->2804 2804->2807 2805 7ff6017b4b54 __GSHandlerCheck_EH 2806 7ff6017b4def 2805->2806 2820 7ff6017b4b90 __GSHandlerCheck_EH 2805->2820 2806->2801 2809 7ff6017b4ded 2806->2809 2886 7ff6017b4ea0 2806->2886 2807->2801 2807->2805 2808 7ff6017b43d0 ExFilterRethrow 10 API calls 2807->2808 2810 7ff6017b4ac0 2808->2810 2811 7ff6017b43d0 ExFilterRethrow 10 API calls 2809->2811 2814 7ff6017b4e37 2810->2814 2817 7ff6017b43d0 ExFilterRethrow 10 API calls 2810->2817 2812 7ff6017b4e30 2811->2812 2812->2801 2812->2814 2813 7ff6017b4dd4 __GSHandlerCheck_EH 2813->2809 2822 7ff6017b4e81 2813->2822 2816 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2814->2816 2818 7ff6017b4e43 2816->2818 2819 7ff6017b4ad0 2817->2819 2818->2762 2821 7ff6017b43d0 ExFilterRethrow 10 API calls 2819->2821 2820->2813 2832 7ff6017b3bbc 10 API calls BuildCatchObjectHelperInternal 2820->2832 2864 7ff6017b52d0 2820->2864 2878 7ff6017b48d0 2820->2878 2823 7ff6017b4ad9 2821->2823 2824 7ff6017b43d0 ExFilterRethrow 10 API calls 2822->2824 2850 7ff6017b3be8 2823->2850 2826 7ff6017b4e86 2824->2826 2827 7ff6017b43d0 ExFilterRethrow 10 API calls 2826->2827 2828 7ff6017b4e8f terminate 2827->2828 2828->2801 2829 7ff6017b43d0 ExFilterRethrow 10 API calls 2831 7ff6017b4b16 2829->2831 2831->2805 2833 7ff6017b43d0 ExFilterRethrow 10 API calls 2831->2833 2832->2820 2834 7ff6017b4b22 2833->2834 2835 7ff6017b43d0 ExFilterRethrow 10 API calls 2834->2835 2836 7ff6017b4b2b 2835->2836 2853 7ff6017b5fd8 2836->2853 2840 7ff6017b4b3f 2860 7ff6017b60c8 2840->2860 2842 7ff6017b4e7b terminate 2842->2822 2844 7ff6017b4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2844->2842 2845 7ff6017b3f84 Concurrency::cancel_current_task 2 API calls 2844->2845 2846 7ff6017b4e7a 2845->2846 2846->2842 2848 7ff6017b43d0 ExFilterRethrow 10 API calls 2847->2848 2849 7ff6017b3bb1 2848->2849 2849->2765 2851 7ff6017b43d0 ExFilterRethrow 10 API calls 2850->2851 2852 7ff6017b3bf6 2851->2852 2852->2801 2852->2829 2854 7ff6017b60bf abort 2853->2854 2859 7ff6017b6003 2853->2859 2855 7ff6017b4b3b 2855->2805 2855->2840 2856 7ff6017b3bbc 10 API calls BuildCatchObjectHelperInternal 2856->2859 2857 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2857->2859 2859->2855 2859->2856 2859->2857 2902 7ff6017b5190 2859->2902 2861 7ff6017b6135 2860->2861 2863 7ff6017b60e5 Is_bad_exception_allowed 2860->2863 2861->2844 2862 7ff6017b3ba8 10 API calls BuildCatchObjectHelperInternal 2862->2863 2863->2861 2863->2862 2865 7ff6017b538d 2864->2865 2866 7ff6017b52fd 2864->2866 2865->2820 2867 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2866->2867 2868 7ff6017b5306 2867->2868 2868->2865 2869 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2868->2869 2871 7ff6017b531f 2868->2871 2869->2871 2870 7ff6017b534c 2873 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2870->2873 2871->2865 2871->2870 2872 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2871->2872 2872->2870 2874 7ff6017b5360 2873->2874 2874->2865 2875 7ff6017b5379 2874->2875 2876 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2874->2876 2877 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2875->2877 2876->2875 2877->2865 2879 7ff6017b490d __GSHandlerCheck_EH 2878->2879 2880 7ff6017b4933 2879->2880 2916 7ff6017b480c 2879->2916 2882 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2880->2882 2883 7ff6017b4945 2882->2883 2925 7ff6017b3838 RtlUnwindEx 2883->2925 2887 7ff6017b4ef4 2886->2887 2888 7ff6017b5169 2886->2888 2890 7ff6017b43d0 ExFilterRethrow 10 API calls 2887->2890 2889 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2888->2889 2891 7ff6017b5175 2889->2891 2892 7ff6017b4ef9 2890->2892 2891->2809 2893 7ff6017b4f0e EncodePointer 2892->2893 2894 7ff6017b4f60 __GSHandlerCheck_EH 2892->2894 2895 7ff6017b43d0 ExFilterRethrow 10 API calls 2893->2895 2894->2888 2896 7ff6017b5189 abort 2894->2896 2899 7ff6017b4f82 __GSHandlerCheck_EH 2894->2899 2897 7ff6017b4f1e 2895->2897 2897->2894 2949 7ff6017b34f8 2897->2949 2899->2888 2900 7ff6017b48d0 __GSHandlerCheck_EH 21 API calls 2899->2900 2901 7ff6017b3ba8 10 API calls BuildCatchObjectHelperInternal 2899->2901 2900->2899 2901->2899 2903 7ff6017b51bd 2902->2903 2915 7ff6017b524c 2902->2915 2904 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2903->2904 2905 7ff6017b51c6 2904->2905 2906 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2905->2906 2907 7ff6017b51df 2905->2907 2905->2915 2906->2907 2908 7ff6017b520b 2907->2908 2909 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2907->2909 2907->2915 2910 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2908->2910 2909->2908 2911 7ff6017b521f 2910->2911 2912 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2911->2912 2913 7ff6017b5238 2911->2913 2911->2915 2912->2913 2914 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2913->2914 2914->2915 2915->2859 2917 7ff6017b482f 2916->2917 2928 7ff6017b4608 2917->2928 2919 7ff6017b4840 2920 7ff6017b4881 __AdjustPointer 2919->2920 2921 7ff6017b4845 __AdjustPointer 2919->2921 2922 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2920->2922 2924 7ff6017b4864 BuildCatchObjectHelperInternal 2920->2924 2923 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2921->2923 2921->2924 2922->2924 2923->2924 2924->2880 2926 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2925->2926 2927 7ff6017b394e 2926->2927 2927->2820 2929 7ff6017b4635 2928->2929 2931 7ff6017b463e 2928->2931 2930 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2929->2930 2930->2931 2932 7ff6017b3ba8 BuildCatchObjectHelperInternal 10 API calls 2931->2932 2933 7ff6017b465d 2931->2933 2937 7ff6017b46c2 __AdjustPointer BuildCatchObjectHelperInternal 2931->2937 2932->2933 2934 7ff6017b46aa 2933->2934 2935 7ff6017b46ca 2933->2935 2933->2937 2934->2937 2938 7ff6017b47e9 abort abort 2934->2938 2936 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2935->2936 2935->2937 2940 7ff6017b474a 2935->2940 2936->2940 2937->2919 2939 7ff6017b480c 2938->2939 2941 7ff6017b4608 BuildCatchObjectHelperInternal 10 API calls 2939->2941 2940->2937 2942 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2940->2942 2943 7ff6017b4840 2941->2943 2942->2937 2944 7ff6017b4881 __AdjustPointer 2943->2944 2945 7ff6017b4845 __AdjustPointer 2943->2945 2946 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2944->2946 2948 7ff6017b4864 BuildCatchObjectHelperInternal 2944->2948 2947 7ff6017b3bbc BuildCatchObjectHelperInternal 10 API calls 2945->2947 2945->2948 2946->2948 2947->2948 2948->2919 2950 7ff6017b43d0 ExFilterRethrow 10 API calls 2949->2950 2951 7ff6017b3524 2950->2951 2951->2894 3103 7ff6017b74a7 3106 7ff6017b5cc0 3103->3106 3111 7ff6017b5c38 3106->3111 3109 7ff6017b5ce0 3110 7ff6017b43d0 ExFilterRethrow 10 API calls 3110->3109 3112 7ff6017b5ca3 3111->3112 3113 7ff6017b5c5a 3111->3113 3112->3109 3112->3110 3113->3112 3114 7ff6017b43d0 ExFilterRethrow 10 API calls 3113->3114 3114->3112 2256 7ff6017b27ec 2279 7ff6017b2b8c 2256->2279 2259 7ff6017b2943 2319 7ff6017b2ecc IsProcessorFeaturePresent 2259->2319 2260 7ff6017b280d 2262 7ff6017b294d 2260->2262 2267 7ff6017b282b __scrt_release_startup_lock 2260->2267 2263 7ff6017b2ecc 7 API calls 2262->2263 2264 7ff6017b2958 2263->2264 2266 7ff6017b2960 _exit 2264->2266 2265 7ff6017b2850 2267->2265 2268 7ff6017b28d6 _get_initial_narrow_environment __p___argv __p___argc 2267->2268 2272 7ff6017b28ce _register_thread_local_exe_atexit_callback 2267->2272 2285 7ff6017b1060 2268->2285 2272->2268 2274 7ff6017b2903 2275 7ff6017b2908 _cexit 2274->2275 2276 7ff6017b290d 2274->2276 2275->2276 2315 7ff6017b2d20 2276->2315 2326 7ff6017b316c 2279->2326 2282 7ff6017b2805 2282->2259 2282->2260 2283 7ff6017b2bbb __scrt_initialize_crt 2283->2282 2328 7ff6017b404c 2283->2328 2286 7ff6017b1386 2285->2286 2291 7ff6017b10b4 2285->2291 2355 7ff6017b1450 __acrt_iob_func 2286->2355 2288 7ff6017b1399 2313 7ff6017b3020 GetModuleHandleW 2288->2313 2289 7ff6017b1289 2289->2286 2290 7ff6017b129f 2289->2290 2360 7ff6017b2688 2290->2360 2291->2289 2293 7ff6017b1125 strcmp 2291->2293 2297 7ff6017b1151 strcmp 2291->2297 2306 7ff6017b117d strcmp 2291->2306 2311 7ff6017b1226 strcmp 2291->2311 2293->2291 2294 7ff6017b12a9 2295 7ff6017b12b9 GetTempPathA 2294->2295 2296 7ff6017b1325 2294->2296 2299 7ff6017b12e9 strcat_s 2295->2299 2300 7ff6017b12cb GetLastError 2295->2300 2369 7ff6017b23c0 2296->2369 2297->2291 2299->2296 2301 7ff6017b1304 2299->2301 2303 7ff6017b1450 6 API calls 2300->2303 2304 7ff6017b1450 6 API calls 2301->2304 2307 7ff6017b12df GetLastError 2303->2307 2310 7ff6017b1312 2304->2310 2305 7ff6017b1344 __acrt_iob_func fflush __acrt_iob_func fflush 2305->2310 2306->2291 2307->2310 2310->2288 2311->2291 2312 7ff6017b1239 atoi 2311->2312 2312->2291 2314 7ff6017b28ff 2313->2314 2314->2264 2314->2274 2317 7ff6017b2d31 __scrt_initialize_crt 2315->2317 2316 7ff6017b2916 2316->2265 2317->2316 2318 7ff6017b404c __scrt_initialize_crt 7 API calls 2317->2318 2318->2316 2320 7ff6017b2ef2 2319->2320 2321 7ff6017b2f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff6017b2f76 2321->2322 2323 7ff6017b2f3a RtlVirtualUnwind 2321->2323 2324 7ff6017b2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2322->2324 2323->2322 2325 7ff6017b2ffa 2324->2325 2325->2262 2327 7ff6017b2bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2283 2329 7ff6017b405e 2328->2329 2330 7ff6017b4054 2328->2330 2329->2282 2334 7ff6017b44f4 2330->2334 2335 7ff6017b4059 2334->2335 2336 7ff6017b4503 2334->2336 2338 7ff6017b6460 2335->2338 2342 7ff6017b6630 2336->2342 2339 7ff6017b648b 2338->2339 2340 7ff6017b646e DeleteCriticalSection 2339->2340 2341 7ff6017b648f 2339->2341 2340->2339 2341->2329 2346 7ff6017b6498 2342->2346 2347 7ff6017b65b2 TlsFree 2346->2347 2352 7ff6017b64dc 2346->2352 2348 7ff6017b650a LoadLibraryExW 2350 7ff6017b6581 2348->2350 2351 7ff6017b652b GetLastError 2348->2351 2349 7ff6017b65a1 GetProcAddress 2349->2347 2350->2349 2353 7ff6017b6598 FreeLibrary 2350->2353 2351->2352 2352->2347 2352->2348 2352->2349 2354 7ff6017b654d LoadLibraryExW 2352->2354 2353->2349 2354->2350 2354->2352 2405 7ff6017b1010 2355->2405 2357 7ff6017b148a __acrt_iob_func 2408 7ff6017b1000 2357->2408 2359 7ff6017b14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff6017b2690 2360->2363 2361 7ff6017b26aa malloc 2362 7ff6017b26b4 2361->2362 2361->2363 2362->2294 2363->2361 2364 7ff6017b26ba 2363->2364 2365 7ff6017b26c5 2364->2365 2410 7ff6017b2b30 2364->2410 2414 7ff6017b1720 2365->2414 2368 7ff6017b26cb 2368->2294 2370 7ff6017b2688 5 API calls 2369->2370 2371 7ff6017b23f5 OpenProcess 2370->2371 2372 7ff6017b2458 K32GetModuleBaseNameA 2371->2372 2373 7ff6017b243b GetLastError 2371->2373 2375 7ff6017b2470 GetLastError 2372->2375 2376 7ff6017b2492 2372->2376 2374 7ff6017b1450 6 API calls 2373->2374 2384 7ff6017b2453 2374->2384 2377 7ff6017b1450 6 API calls 2375->2377 2431 7ff6017b1800 2376->2431 2379 7ff6017b2484 CloseHandle 2377->2379 2379->2384 2381 7ff6017b24ae 2385 7ff6017b13c0 6 API calls 2381->2385 2382 7ff6017b25b3 CloseHandle 2382->2384 2383 7ff6017b25fa 2442 7ff6017b2660 2383->2442 2384->2383 2387 7ff6017b25f3 _invalid_parameter_noinfo_noreturn 2384->2387 2386 7ff6017b24cf CreateFileA 2385->2386 2389 7ff6017b250f GetLastError 2386->2389 2390 7ff6017b2543 2386->2390 2387->2383 2393 7ff6017b1450 6 API calls 2389->2393 2391 7ff6017b2550 MiniDumpWriteDump 2390->2391 2395 7ff6017b258a CloseHandle CloseHandle 2390->2395 2394 7ff6017b2576 GetLastError 2391->2394 2391->2395 2396 7ff6017b2538 CloseHandle 2393->2396 2394->2390 2397 7ff6017b258c 2394->2397 2395->2384 2396->2384 2399 7ff6017b1450 6 API calls 2397->2399 2399->2395 2400 7ff6017b13c0 __acrt_iob_func 2401 7ff6017b1010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff6017b13fa __acrt_iob_func 2401->2402 2501 7ff6017b1000 2402->2501 2404 7ff6017b1412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2305 2409 7ff6017b1000 2405->2409 2407 7ff6017b1036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff6017b2b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff6017b3f84 2411->2420 2413 7ff6017b2b4f 2415 7ff6017b172e Concurrency::cancel_current_task 2414->2415 2416 7ff6017b3f84 Concurrency::cancel_current_task 2 API calls 2415->2416 2417 7ff6017b173f 2416->2417 2425 7ff6017b3cc0 2417->2425 2421 7ff6017b3fc0 RtlPcToFileHeader 2420->2421 2422 7ff6017b3fa3 2420->2422 2423 7ff6017b3fe7 RaiseException 2421->2423 2424 7ff6017b3fd8 2421->2424 2422->2421 2423->2413 2424->2423 2426 7ff6017b176d 2425->2426 2427 7ff6017b3ce1 2425->2427 2426->2368 2427->2426 2427->2427 2428 7ff6017b3cf6 malloc 2427->2428 2429 7ff6017b3d23 free 2428->2429 2430 7ff6017b3d07 2428->2430 2429->2426 2430->2429 2432 7ff6017b1850 2431->2432 2433 7ff6017b1863 WSAStartup 2431->2433 2435 7ff6017b1450 6 API calls 2432->2435 2434 7ff6017b185c 2433->2434 2439 7ff6017b187f 2433->2439 2436 7ff6017b2660 __GSHandlerCheck_EH 8 API calls 2434->2436 2435->2434 2438 7ff6017b1d87 2436->2438 2437 7ff6017b1dd0 2441 7ff6017b1450 6 API calls 2437->2441 2438->2381 2438->2382 2439->2434 2439->2437 2451 7ff6017b20c0 2439->2451 2441->2434 2443 7ff6017b2669 2442->2443 2444 7ff6017b1334 2443->2444 2445 7ff6017b29c0 IsProcessorFeaturePresent 2443->2445 2444->2305 2444->2400 2446 7ff6017b29d8 2445->2446 2496 7ff6017b2a94 RtlCaptureContext 2446->2496 2452 7ff6017b2218 2451->2452 2453 7ff6017b20e9 2451->2453 2475 7ff6017b17e0 2452->2475 2455 7ff6017b2144 2453->2455 2457 7ff6017b2137 2453->2457 2458 7ff6017b216c 2453->2458 2466 7ff6017b2690 2455->2466 2456 7ff6017b221d 2460 7ff6017b1720 Concurrency::cancel_current_task 4 API calls 2456->2460 2457->2455 2457->2456 2462 7ff6017b2690 5 API calls 2458->2462 2464 7ff6017b2155 BuildCatchObjectHelperInternal 2458->2464 2463 7ff6017b2223 2460->2463 2461 7ff6017b21e0 _invalid_parameter_noinfo_noreturn 2465 7ff6017b21d3 BuildCatchObjectHelperInternal 2461->2465 2462->2464 2464->2461 2464->2465 2465->2439 2467 7ff6017b26aa malloc 2466->2467 2468 7ff6017b26b4 2467->2468 2469 7ff6017b269b 2467->2469 2468->2464 2469->2467 2470 7ff6017b26ba 2469->2470 2471 7ff6017b26c5 2470->2471 2472 7ff6017b2b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff6017b1720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff6017b26cb 2473->2474 2474->2464 2488 7ff6017b34d4 2475->2488 2493 7ff6017b33f8 2488->2493 2491 7ff6017b3f84 Concurrency::cancel_current_task 2 API calls 2492 7ff6017b34f6 2491->2492 2494 7ff6017b3cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff6017b342c 2494->2495 2495->2491 2497 7ff6017b2aae RtlLookupFunctionEntry 2496->2497 2498 7ff6017b2ac4 RtlVirtualUnwind 2497->2498 2499 7ff6017b29eb 2497->2499 2498->2497 2498->2499 2500 7ff6017b2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2499->2500 2501->2404 3115 7ff6017b59ad 3116 7ff6017b43d0 ExFilterRethrow 10 API calls 3115->3116 3117 7ff6017b59ba 3116->3117 3118 7ff6017b43d0 ExFilterRethrow 10 API calls 3117->3118 3120 7ff6017b59c3 __GSHandlerCheck_EH 3118->3120 3119 7ff6017b5a0a RaiseException 3121 7ff6017b5a29 3119->3121 3120->3119 3122 7ff6017b3b54 11 API calls 3121->3122 3126 7ff6017b5a31 3122->3126 3123 7ff6017b43d0 ExFilterRethrow 10 API calls 3124 7ff6017b5a6d 3123->3124 3125 7ff6017b43d0 ExFilterRethrow 10 API calls 3124->3125 3127 7ff6017b5a76 3125->3127 3128 7ff6017b4104 10 API calls 3126->3128 3130 7ff6017b5a5a __GSHandlerCheck_EH 3126->3130 3129 7ff6017b43d0 ExFilterRethrow 10 API calls 3127->3129 3128->3130 3131 7ff6017b5a7f 3129->3131 3130->3123 3132 7ff6017b43d0 ExFilterRethrow 10 API calls 3131->3132 3133 7ff6017b5a8e 3132->3133

                                                                                                              Executed Functions

                                                                                                              Function 00007FF6017B1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 7ff6017b1060-7ff6017b10ae 1 7ff6017b10b4-7ff6017b10c6 0->1 2 7ff6017b1386-7ff6017b1394 call 7ff6017b1450 0->2 4 7ff6017b10d0-7ff6017b10d6 1->4 5 7ff6017b1399 2->5 6 7ff6017b127f-7ff6017b1283 4->6 7 7ff6017b10dc-7ff6017b10df 4->7 8 7ff6017b139e-7ff6017b13b7 5->8 6->4 9 7ff6017b1289-7ff6017b1299 6->9 10 7ff6017b10e1-7ff6017b10e5 7->10 11 7ff6017b10ed 7->11 9->2 12 7ff6017b129f-7ff6017b12b7 call 7ff6017b2688 9->12 10->11 13 7ff6017b10e7-7ff6017b10eb 10->13 14 7ff6017b10f0-7ff6017b10fc 11->14 26 7ff6017b12b9-7ff6017b12c9 GetTempPathA 12->26 27 7ff6017b132a-7ff6017b1336 call 7ff6017b23c0 12->27 13->11 18 7ff6017b1104-7ff6017b110b 13->18 15 7ff6017b1110-7ff6017b1113 14->15 16 7ff6017b10fe-7ff6017b1102 14->16 20 7ff6017b1125-7ff6017b1136 strcmp 15->20 21 7ff6017b1115-7ff6017b1119 15->21 16->14 16->18 19 7ff6017b127b 18->19 19->6 24 7ff6017b1267-7ff6017b126e 20->24 25 7ff6017b113c-7ff6017b113f 20->25 21->20 23 7ff6017b111b-7ff6017b111f 21->23 23->20 23->24 28 7ff6017b1276 24->28 29 7ff6017b1151-7ff6017b1162 strcmp 25->29 30 7ff6017b1141-7ff6017b1145 25->30 32 7ff6017b12e9-7ff6017b1302 strcat_s 26->32 33 7ff6017b12cb-7ff6017b12e7 GetLastError call 7ff6017b1450 GetLastError 26->33 42 7ff6017b1338-7ff6017b1344 call 7ff6017b13c0 27->42 43 7ff6017b1346 27->43 28->19 38 7ff6017b1258-7ff6017b1265 29->38 39 7ff6017b1168-7ff6017b116b 29->39 30->29 36 7ff6017b1147-7ff6017b114b 30->36 34 7ff6017b1304-7ff6017b1312 call 7ff6017b1450 32->34 35 7ff6017b1325 32->35 53 7ff6017b1313-7ff6017b1323 call 7ff6017b2680 33->53 34->53 35->27 36->29 36->38 38->19 44 7ff6017b117d-7ff6017b118e strcmp 39->44 45 7ff6017b116d-7ff6017b1171 39->45 50 7ff6017b134b-7ff6017b1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff6017b2680 42->50 43->50 51 7ff6017b1194-7ff6017b1197 44->51 52 7ff6017b1247-7ff6017b1256 44->52 45->44 49 7ff6017b1173-7ff6017b1177 45->49 49->44 49->52 50->8 57 7ff6017b11a5-7ff6017b11af 51->57 58 7ff6017b1199-7ff6017b119d 51->58 52->28 53->8 61 7ff6017b11b0-7ff6017b11bb 57->61 58->57 60 7ff6017b119f-7ff6017b11a3 58->60 60->57 63 7ff6017b11c3-7ff6017b11d2 60->63 64 7ff6017b11d7-7ff6017b11da 61->64 65 7ff6017b11bd-7ff6017b11c1 61->65 63->28 66 7ff6017b11ec-7ff6017b11f6 64->66 67 7ff6017b11dc-7ff6017b11e0 64->67 65->61 65->63 69 7ff6017b1200-7ff6017b120b 66->69 67->66 68 7ff6017b11e2-7ff6017b11e6 67->68 68->19 68->66 70 7ff6017b1215-7ff6017b1218 69->70 71 7ff6017b120d-7ff6017b1211 69->71 73 7ff6017b1226-7ff6017b1237 strcmp 70->73 74 7ff6017b121a-7ff6017b121e 70->74 71->69 72 7ff6017b1213 71->72 72->19 73->19 75 7ff6017b1239-7ff6017b1245 atoi 73->75 74->73 76 7ff6017b1220-7ff6017b1224 74->76 75->19 76->19 76->73
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                                                              • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                                                              • API String ID: 2647627392-2367407095
                                                                                                              • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                                              • Instruction ID: ea7788f9c43bf0f9ddb510b1be1840ef14c7dc09f19c57a0b4f13a633060b7b2
                                                                                                              • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                                              • Instruction Fuzzy Hash: BAA17FA2E0C78255FB618B20B4E43B967E4EF46758FA88171CA5EC6697DF3CE844C301
                                                                                                              Function 00007FF6017B27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                                              • String ID:
                                                                                                              • API String ID: 2308368977-0
                                                                                                              • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                                              • Instruction ID: 86e7877fad342be2cdee78301975c879bb57f52d3d021c960151db8f0becd716
                                                                                                              • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                                              • Instruction Fuzzy Hash: 21316821E4E20782FB14AB61E4E53BA2291BF45784F645039EA0DCB3E7DF2DF8858351
                                                                                                              Function 00007FF6017B1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                                              • String ID: [createdump]
                                                                                                              • API String ID: 3735572767-2657508301
                                                                                                              • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                                              • Instruction ID: 4284796121431972dbb717d7e2d8efb6f3db00628b6e8c945aecaeb7b4b73e5b
                                                                                                              • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                                              • Instruction Fuzzy Hash: 06011D35A0CB8182E7009B51F8592AAA368FF85BD1F504539EF8D83766DF3CD555C701

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF6017B2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3140674995-0
                                                                                                              • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                                              • Instruction ID: 07496708376bc347a97c8ff5a91eccdc4c09733fbe83749eaac6927fcddad716
                                                                                                              • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                                              • Instruction Fuzzy Hash: EE315072609B818AEB609F64E8803EE7365FB84744F54443ADB4E87B9AEF3CD548C710
                                                                                                              Function 00007FF6017B3074 Relevance: .0, Instructions: 2COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                                              • Instruction ID: cc6707b60b668c4c18be894576ee492789c05be56a767e795483bf985d6bf52a
                                                                                                              • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                                              • Instruction Fuzzy Hash: EAA0022190CC02D0E7448B18ECD43312335FF50340B600531D40DC10A29F3CE484C301
                                                                                                              Function 00007FF6017B23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B242D
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B243B
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1475
                                                                                                                • Part of subcall function 00007FF6017B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6017B1485
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1494
                                                                                                                • Part of subcall function 00007FF6017B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14B3
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14BE
                                                                                                                • Part of subcall function 00007FF6017B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14C7
                                                                                                              • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B2466
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B2470
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B2487
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6017B25F3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                                                              • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                                                              • API String ID: 3971781330-1292085346
                                                                                                              • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                                              • Instruction ID: f597d11248a8971e6505e47526e2464c4efbfb3ae53499ae34c2f560abe9b446
                                                                                                              • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                                              • Instruction Fuzzy Hash: 94616F31A0DA4282EB209B15E89477A77A1FB857D4F700135EE9E83AA7DF3CE445C701
                                                                                                              Function 00007FF6017B49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 177 7ff6017b49a4-7ff6017b4a07 call 7ff6017b4518 180 7ff6017b4a20-7ff6017b4a29 call 7ff6017b43d0 177->180 181 7ff6017b4a09-7ff6017b4a12 call 7ff6017b43d0 177->181 188 7ff6017b4a3f-7ff6017b4a42 180->188 189 7ff6017b4a2b-7ff6017b4a38 call 7ff6017b43d0 * 2 180->189 186 7ff6017b4a18-7ff6017b4a1e 181->186 187 7ff6017b4e99-7ff6017b4e9f abort 181->187 186->188 188->187 191 7ff6017b4a48-7ff6017b4a54 188->191 189->188 193 7ff6017b4a7f 191->193 194 7ff6017b4a56-7ff6017b4a7d 191->194 195 7ff6017b4a81-7ff6017b4a83 193->195 194->195 195->187 197 7ff6017b4a89-7ff6017b4a8f 195->197 199 7ff6017b4a95-7ff6017b4a99 197->199 200 7ff6017b4b59-7ff6017b4b6f call 7ff6017b5724 197->200 199->200 202 7ff6017b4a9f-7ff6017b4aaa 199->202 205 7ff6017b4def-7ff6017b4df3 200->205 206 7ff6017b4b75-7ff6017b4b79 200->206 202->200 204 7ff6017b4ab0-7ff6017b4ab5 202->204 204->200 207 7ff6017b4abb-7ff6017b4ac5 call 7ff6017b43d0 204->207 210 7ff6017b4df5-7ff6017b4dfc 205->210 211 7ff6017b4e2b-7ff6017b4e35 call 7ff6017b43d0 205->211 206->205 208 7ff6017b4b7f-7ff6017b4b8a 206->208 219 7ff6017b4e37-7ff6017b4e56 call 7ff6017b2660 207->219 220 7ff6017b4acb-7ff6017b4af1 call 7ff6017b43d0 * 2 call 7ff6017b3be8 207->220 208->205 212 7ff6017b4b90-7ff6017b4b94 208->212 210->187 214 7ff6017b4e02-7ff6017b4e26 call 7ff6017b4ea0 210->214 211->187 211->219 217 7ff6017b4dd4-7ff6017b4dd8 212->217 218 7ff6017b4b9a-7ff6017b4bd1 call 7ff6017b36d0 212->218 214->211 217->211 223 7ff6017b4dda-7ff6017b4de7 call 7ff6017b3670 217->223 218->217 231 7ff6017b4bd7-7ff6017b4be2 218->231 244 7ff6017b4b11-7ff6017b4b1b call 7ff6017b43d0 220->244 245 7ff6017b4af3-7ff6017b4af7 220->245 233 7ff6017b4e81-7ff6017b4e98 call 7ff6017b43d0 * 2 terminate 223->233 234 7ff6017b4ded 223->234 235 7ff6017b4be6-7ff6017b4bf6 231->235 233->187 234->211 238 7ff6017b4d2f-7ff6017b4dce 235->238 239 7ff6017b4bfc-7ff6017b4c02 235->239 238->217 238->235 239->238 242 7ff6017b4c08-7ff6017b4c31 call 7ff6017b56a8 239->242 242->238 252 7ff6017b4c37-7ff6017b4c7e call 7ff6017b3bbc * 2 242->252 244->200 256 7ff6017b4b1d-7ff6017b4b3d call 7ff6017b43d0 * 2 call 7ff6017b5fd8 244->256 245->244 250 7ff6017b4af9-7ff6017b4b04 245->250 250->244 253 7ff6017b4b06-7ff6017b4b0b 250->253 263 7ff6017b4c80-7ff6017b4ca5 call 7ff6017b3bbc call 7ff6017b52d0 252->263 264 7ff6017b4cba-7ff6017b4cd0 call 7ff6017b5ab0 252->264 253->187 253->244 275 7ff6017b4b3f-7ff6017b4b49 call 7ff6017b60c8 256->275 276 7ff6017b4b54 256->276 279 7ff6017b4cd7-7ff6017b4d26 call 7ff6017b48d0 263->279 280 7ff6017b4ca7-7ff6017b4cb3 263->280 272 7ff6017b4cd2 264->272 273 7ff6017b4d2b 264->273 272->252 273->238 282 7ff6017b4b4f-7ff6017b4e7a call 7ff6017b4090 call 7ff6017b5838 call 7ff6017b3f84 275->282 283 7ff6017b4e7b-7ff6017b4e80 terminate 275->283 276->200 279->273 280->263 285 7ff6017b4cb5 280->285 282->283 283->233 285->264
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                              • String ID: csm$csm$csm
                                                                                                              • API String ID: 695522112-393685449
                                                                                                              • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                                              • Instruction ID: 335a48c0a774f0a8957a332649160d2612060232231f1da667d05b4f2775609c
                                                                                                              • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                                              • Instruction Fuzzy Hash: B8E17F72A086868AEB209F25D4C03AD77B0FB44B58F244135EA9F97797DF38E585C700
                                                                                                              Function 00007FF6017B13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                                              • String ID: [createdump]
                                                                                                              • API String ID: 3735572767-2657508301
                                                                                                              • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                                              • Instruction ID: 92dd9fce2d38ee6f3bbd5737f5c8c1fd0ccb3eb92d74b2d38258052da53ef996
                                                                                                              • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                                              • Instruction Fuzzy Hash: EE014B31A0CB8182E7009B50F8542AAA364EB84BD1F504135EB8D83766DF7CD495C741
                                                                                                              Function 00007FF6017B1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • WSAStartup.WS2_32 ref: 00007FF6017B186C
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1475
                                                                                                                • Part of subcall function 00007FF6017B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6017B1485
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1494
                                                                                                                • Part of subcall function 00007FF6017B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14B3
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14BE
                                                                                                                • Part of subcall function 00007FF6017B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14C7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                                                              • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                                                              • API String ID: 3378602911-3973674938
                                                                                                              • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                                              • Instruction ID: e53d834ae268e3958b7be94d2556b8d0d9babd61f833b9afbca2382b924f3baa
                                                                                                              • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                                              • Instruction Fuzzy Hash: D731D062E08AC186E7599F55E8E57F927A2BB46784FA44036EE4D87393CF3CE185C700
                                                                                                              Function 00007FF6017B6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF6017B669F,?,?,?,00007FF6017B441E,?,?,?,00007FF6017B43D9), ref: 00007FF6017B651D
                                                                                                              • GetLastError.KERNEL32(?,00000000,00007FF6017B669F,?,?,?,00007FF6017B441E,?,?,?,00007FF6017B43D9,?,?,?,?,00007FF6017B3524), ref: 00007FF6017B652B
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00007FF6017B669F,?,?,?,00007FF6017B441E,?,?,?,00007FF6017B43D9,?,?,?,?,00007FF6017B3524), ref: 00007FF6017B6555
                                                                                                              • FreeLibrary.KERNEL32(?,00000000,00007FF6017B669F,?,?,?,00007FF6017B441E,?,?,?,00007FF6017B43D9,?,?,?,?,00007FF6017B3524), ref: 00007FF6017B659B
                                                                                                              • GetProcAddress.KERNEL32(?,00000000,00007FF6017B669F,?,?,?,00007FF6017B441E,?,?,?,00007FF6017B43D9,?,?,?,?,00007FF6017B3524), ref: 00007FF6017B65A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                              • String ID: api-ms-
                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                              • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                                              • Instruction ID: 2864236bca8ce3d6adb07827af60da05fcad79f07807485155c4cac22b419181
                                                                                                              • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                                              • Instruction Fuzzy Hash: 5531B421B1AA4691FF25DB12988077523D8FF48BA0F394634EE2D8B386EF3CE4548310
                                                                                                              Function 00007FF6017B1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 360 7ff6017b1b18-7ff6017b1b32 _time64 361 7ff6017b1b80-7ff6017b1ba8 360->361 362 7ff6017b1b34-7ff6017b1b37 360->362 361->361 364 7ff6017b1baa-7ff6017b1bd8 361->364 363 7ff6017b1b40-7ff6017b1b68 362->363 363->363 365 7ff6017b1b6a-7ff6017b1b71 363->365 366 7ff6017b1bfa-7ff6017b1c32 364->366 367 7ff6017b1bda-7ff6017b1bf5 call 7ff6017b1ee0 364->367 365->364 369 7ff6017b1c64-7ff6017b1c78 call 7ff6017b2230 366->369 370 7ff6017b1c34-7ff6017b1c43 366->370 367->366 378 7ff6017b1c7d-7ff6017b1c88 369->378 373 7ff6017b1c45 370->373 374 7ff6017b1c48-7ff6017b1c62 call 7ff6017b68c0 370->374 373->374 374->378 379 7ff6017b1c8a-7ff6017b1c98 378->379 380 7ff6017b1cbb-7ff6017b1cde 378->380 381 7ff6017b1cb3-7ff6017b1cb6 call 7ff6017b2680 379->381 382 7ff6017b1c9a-7ff6017b1cad 379->382 383 7ff6017b1d55-7ff6017b1d70 380->383 381->380 382->381 385 7ff6017b1da2-7ff6017b1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff6017b1450 call 7ff6017b2680 382->385 388 7ff6017b18a0-7ff6017b18a3 383->388 389 7ff6017b1d76 383->389 392 7ff6017b1d78-7ff6017b1da1 call 7ff6017b2660 385->392 390 7ff6017b18a5-7ff6017b18b7 388->390 391 7ff6017b18f3-7ff6017b18fe 388->391 389->392 394 7ff6017b18e2-7ff6017b18ee call 7ff6017b20c0 390->394 395 7ff6017b18b9-7ff6017b18c8 390->395 396 7ff6017b1dd0-7ff6017b1dde call 7ff6017b1450 391->396 397 7ff6017b1904-7ff6017b1915 391->397 394->383 401 7ff6017b18cd-7ff6017b18dd 395->401 402 7ff6017b18ca 395->402 396->392 397->383 401->383 402->401
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _time64
                                                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                              • API String ID: 1670930206-4114407318
                                                                                                              • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                                              • Instruction ID: 64c9ee041995a73287409cb4c7e8d2e9c51117fc08e5bd4b1dcf742a76874e11
                                                                                                              • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                                              • Instruction Fuzzy Hash: 5651D472A18B8186EB04CF28E4943EE67A5FB457D4FA00135EA5D57BAADF3CE041D740
                                                                                                              Function 00007FF6017B4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EncodePointerabort
                                                                                                              • String ID: MOC$RCC
                                                                                                              • API String ID: 1188231555-2084237596
                                                                                                              • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                                              • Instruction ID: d207717f065ed28308a2473e0169e8a5cc5b9e1fb9a1f3ddab36037470289b93
                                                                                                              • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                                              • Instruction Fuzzy Hash: 27918273A08B868AE711CF65E8803AD7BB0F745788F244129EE8D97756DF38D195C740
                                                                                                              Function 00007FF6017B5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 459 7ff6017b5414-7ff6017b5461 call 7ff6017b63f4 call 7ff6017b43d0 464 7ff6017b548e-7ff6017b5492 459->464 465 7ff6017b5463-7ff6017b5469 459->465 467 7ff6017b55b2-7ff6017b55c7 call 7ff6017b5724 464->467 468 7ff6017b5498-7ff6017b549b 464->468 465->464 466 7ff6017b546b-7ff6017b546e 465->466 470 7ff6017b5480-7ff6017b5483 466->470 471 7ff6017b5470-7ff6017b5474 466->471 479 7ff6017b55d2-7ff6017b55d8 467->479 480 7ff6017b55c9-7ff6017b55cc 467->480 472 7ff6017b5680 468->472 473 7ff6017b54a1-7ff6017b54d1 468->473 470->464 476 7ff6017b5485-7ff6017b5488 470->476 471->476 477 7ff6017b5476-7ff6017b547e 471->477 474 7ff6017b5685-7ff6017b56a1 472->474 473->472 478 7ff6017b54d7-7ff6017b54de 473->478 476->464 476->472 477->464 477->470 478->472 481 7ff6017b54e4-7ff6017b54e8 478->481 484 7ff6017b5647-7ff6017b567b call 7ff6017b49a4 479->484 485 7ff6017b55da-7ff6017b55de 479->485 480->472 480->479 482 7ff6017b54ee-7ff6017b54f1 481->482 483 7ff6017b559f-7ff6017b55ad call 7ff6017b3678 481->483 487 7ff6017b54f3-7ff6017b5508 call 7ff6017b4520 482->487 488 7ff6017b5556-7ff6017b5559 482->488 483->472 484->472 485->484 490 7ff6017b55e0-7ff6017b55e7 485->490 497 7ff6017b56a2-7ff6017b56a7 abort 487->497 499 7ff6017b550e-7ff6017b5511 487->499 488->483 494 7ff6017b555b-7ff6017b5563 488->494 490->484 493 7ff6017b55e9-7ff6017b55f0 490->493 493->484 496 7ff6017b55f2-7ff6017b5605 call 7ff6017b3bbc 493->496 494->497 498 7ff6017b5569-7ff6017b5593 494->498 496->484 508 7ff6017b5607-7ff6017b5645 496->508 498->497 501 7ff6017b5599-7ff6017b559d 498->501 502 7ff6017b5513-7ff6017b5538 499->502 503 7ff6017b553a-7ff6017b553d 499->503 505 7ff6017b5546-7ff6017b5551 call 7ff6017b5cf0 501->505 502->503 503->497 506 7ff6017b5543 503->506 505->472 506->505 508->474
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __except_validate_context_recordabort
                                                                                                              • String ID: csm$csm
                                                                                                              • API String ID: 746414643-3733052814
                                                                                                              • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                                              • Instruction ID: 8b5d2b1c085b404e5fca5a03dd34431235940bc94aba90b3ea3df26882fede53
                                                                                                              • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                                              • Instruction Fuzzy Hash: 9D71A132A086828ADB658F25E4947797BA1FB44F99F248136DE8D87B86CF3CD451C700
                                                                                                              Function 00007FF6017B195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                              • API String ID: 0-4114407318
                                                                                                              • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                                              • Instruction ID: f71deb66fec9047c073cc1e9ac987ef78fdf3f335fa0599e78ee367a8086203e
                                                                                                              • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                                              • Instruction Fuzzy Hash: BE51F462A18BC586E700CF29E4D47AA67A1FB817D0FA00135EA9D57BEACF3DE041D740
                                                                                                              Function 00007FF6017B5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 2558813199-1018135373
                                                                                                              • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                                              • Instruction ID: 2ca9cdc389542dd9a76d174905109b3389bf5cdd930e031614ca04e3bcf7e77d
                                                                                                              • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                                              • Instruction Fuzzy Hash: CD514C3261974686DB60AB15E48036E77B4FB89B94F240135EB8E97B57CF78E461CB00
                                                                                                              Function 00007FF6017B17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6017B17EB
                                                                                                              • WSAStartup.WS2_32 ref: 00007FF6017B186C
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1475
                                                                                                                • Part of subcall function 00007FF6017B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6017B1485
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B1494
                                                                                                                • Part of subcall function 00007FF6017B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14B3
                                                                                                                • Part of subcall function 00007FF6017B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14BE
                                                                                                                • Part of subcall function 00007FF6017B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6017B14C7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                                                              • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                                                              • API String ID: 1412700758-3183687674
                                                                                                              • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                                              • Instruction ID: 498029e65731a31c3f77b0330aa1e939f9dc8be4a8851a80d6e5a2cab7244f19
                                                                                                              • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                                              • Instruction Fuzzy Hash: 4D018422A18985A5F7619F52FCD17FA6750BB89798F600036EE4D87652CF3CD496C700
                                                                                                              Function 00007FF6017B1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastgethostname
                                                                                                              • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                                              • API String ID: 3782448640-4114407318
                                                                                                              • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                                              • Instruction ID: 2fc8d7ce47b4a32eba99a42349130be8eba71f31948b334ce7b2e0252c852e1d
                                                                                                              • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                                              • Instruction Fuzzy Hash: 4F11C621E1954685EB49AF21B8E07FA2254AF867B4F601135EA6F972D7DF3CE0828340
                                                                                                              Function 00007FF6017B4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: terminate
                                                                                                              • String ID: MOC$RCC$csm
                                                                                                              • API String ID: 1821763600-2671469338
                                                                                                              • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                                              • Instruction ID: f473d6ceacf57db2070225e984b5c29ba406c8f927f250221531a556922e7a15
                                                                                                              • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                                              • Instruction Fuzzy Hash: 6FF0AF36A0824ED1E7245B51A1C526D3374EF58B44F2C5031D71B97393CF7CE4A1C602
                                                                                                              Function 00007FF6017B20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6017B18EE), ref: 00007FF6017B21E0
                                                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6017B221E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                                              • String ID: Invalid process id '%d' error %d
                                                                                                              • API String ID: 73155330-4244389950
                                                                                                              • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                                              • Instruction ID: bb2dd967c3eccb7af897e0d6a8df0f09e7e1ecc0d51296571468bbeff9ccf6b3
                                                                                                              • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                                              • Instruction Fuzzy Hash: 0031F326B0A78696EB109F15D9843A963A5EB09BD0F280631DF6D8BBD7DF7CF0508300
                                                                                                              Function 00007FF6017B3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6017B173F), ref: 00007FF6017B3FC8
                                                                                                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6017B173F), ref: 00007FF6017B400E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1870314073.00007FF6017B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6017B0000, based on PE: true
                                                                                                              • Associated: 00000007.00000002.1870268672.00007FF6017B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870368650.00007FF6017B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870411794.00007FF6017BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                              • Associated: 00000007.00000002.1870523505.00007FF6017BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff6017b0000_createdump.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                              • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                                              • Instruction ID: ec710dc8faf1705416f24c5941b6e8edb886d30d86d97999a71bad33d2266790
                                                                                                              • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                                              • Instruction Fuzzy Hash: DE113A36618B8182EB218B25F48036977A4FB88B84F684230EECD47B69DF3DD595CB00

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF758D32A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
                                                                                                              • String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
                                                                                                              • API String ID: 2783795328-2826353358
                                                                                                              • Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                                                              • Instruction ID: d5a3a6588ad9183ab5ff6a61cae88eb1373c98cab7f4c8d7fedc28e1a45deab5
                                                                                                              • Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                                                              • Instruction Fuzzy Hash: 93A16122E08B8A93EB14FB21D5507F8E3E0FB5C788F884136EA5D47655EF6CE2588354
                                                                                                              Function 00007FF758D32EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
                                                                                                              • String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
                                                                                                              • API String ID: 4192084208-164389310
                                                                                                              • Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                                                              • Instruction ID: 308026bb585fe30fc9744b42c92e8b166b1ee0a43886ffedb3d152ca1fa7ccde
                                                                                                              • Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                                                              • Instruction Fuzzy Hash: 65E18D22A08B8A87EB24AF65E8502B9E7E0FB8CB95F884135DE0D17754DF3CE1498714
                                                                                                              Function 00007FF758D33C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 313767242-0
                                                                                                              • Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                                                              • Instruction ID: 54588d269cee229acb03d7ced49a074e136998a5f54fb427ad19fbfedc38cf98
                                                                                                              • Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                                                              • Instruction Fuzzy Hash: 10315C72609B8586EB60AF64E8807EDB3B0FB88744F884039DA4E47A84DF38D14CC724
                                                                                                              Function 00007FF758D325C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00007FF758D32570: printf.MSPDB140-MSVCRT ref: 00007FF758D32587
                                                                                                                • Part of subcall function 00007FF758D32530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF758D32617,?,?,?,00007FF758D31BD6,?,?,?,00007FF758D31A02), ref: 00007FF758D32552
                                                                                                              • puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF758D31BD6,?,?,?,00007FF758D31A02), ref: 00007FF758D328DF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: atoiprintfputs
                                                                                                              • String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
                                                                                                              • API String ID: 3402752964-4246942696
                                                                                                              • Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                                                              • Instruction ID: 33069d4188256f20e57de53430fc7dee4cd5d94abd5e29d11e192e360d4e8942
                                                                                                              • Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                                                              • Instruction Fuzzy Hash: A3811965D0875A93EA14EB51E6145F8E3E1AB0DBE2FC90032DD4D17695DF3CE20EC228
                                                                                                              Function 00007FF758D31C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
                                                                                                              • String ID: Error allocating memory for output$Error writing to '%s', %s
                                                                                                              • API String ID: 2637689336-4070097938
                                                                                                              • Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                                                              • Instruction ID: d68eb3abc87bf338ed6872df176ba0724cd5a6e4749bec27522ac4d26964daca
                                                                                                              • Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                                                              • Instruction Fuzzy Hash: CEA15F32A09B8A86DB51AF25E5403FDE3A0FB4DB88F884135EE8D17759DF78D1498324
                                                                                                              Function 00007FF758D31A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF758D31A6D
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3204A
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32065
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32080
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3209B
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D320B6
                                                                                                              • avformat_network_init.AVFORMAT-60 ref: 00007FF758D31A85
                                                                                                              • av_guess_format.AVFORMAT-60 ref: 00007FF758D31AAF
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF758D31ABC
                                                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF758D31AD0
                                                                                                              • avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF758D31AEC
                                                                                                              • av_strerror.AVUTIL-58 ref: 00007FF758D31B19
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF758D31B23
                                                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF758D31B38
                                                                                                                • Part of subcall function 00007FF758D32910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF758D31B4C), ref: 00007FF758D32939
                                                                                                                • Part of subcall function 00007FF758D32370: avcodec_free_context.AVCODEC-60 ref: 00007FF758D32388
                                                                                                                • Part of subcall function 00007FF758D32370: av_free.AVUTIL-58 ref: 00007FF758D323B1
                                                                                                                • Part of subcall function 00007FF758D32370: avio_context_free.AVFORMAT-60 ref: 00007FF758D323BD
                                                                                                                • Part of subcall function 00007FF758D32370: avformat_free_context.AVFORMAT-60 ref: 00007FF758D323CC
                                                                                                                • Part of subcall function 00007FF758D32370: avcodec_free_context.AVCODEC-60 ref: 00007FF758D32402
                                                                                                                • Part of subcall function 00007FF758D32370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF758D32415
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
                                                                                                              • String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
                                                                                                              • API String ID: 3777911973-2524251934
                                                                                                              • Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                                                              • Instruction ID: ae80123d8171b1dba8e8423b1a5f8b4ad5b9f1a96b332ab997275317c91c72cb
                                                                                                              • Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                                                              • Instruction Fuzzy Hash: 6C31A011E1874B83FE60BB25D8112B9E3E0AF8D7D5FD85235E95D07295EE2CE44C8728
                                                                                                              Function 00007FF758D314B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
                                                                                                              • String ID: 2$Couldn't find codec '%s'$E
                                                                                                              • API String ID: 3726879996-2734579634
                                                                                                              • Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                                                              • Instruction ID: cb4fab5bd2c7cad7ceb29c31a6de13308f6fdca35d1a1588c9a9c594f4ed8f7c
                                                                                                              • Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                                                              • Instruction Fuzzy Hash: 4281E276609B84CBD754DF25E58025DBBF0F789B88F54402AEB8C87B58DB7AD858CB00
                                                                                                              Function 00007FF758D31250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
                                                                                                              • String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
                                                                                                              • API String ID: 3715327632-3279048111
                                                                                                              • Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                                                              • Instruction ID: 499ffd7dfa058fc722b7b43ddd0d6ba9581e82cec2b40f32c5cd2fb7c5ab7fc7
                                                                                                              • Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                                                              • Instruction Fuzzy Hash: C3619B72605B8987DB04EF16E5907ADB7A0FB88B94F894039EE4E07754DF38E059C714
                                                                                                              Function 00007FF758D317A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 3736584056-0
                                                                                                              • Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                                                              • Instruction ID: 2b1a548e61ec7ad7125ac2f77b13c634a0e8f2aa60a305d401ca624b63193322
                                                                                                              • Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                                                              • Instruction Fuzzy Hash: 23312C22A0878682EB55FF34D5513FCE3A0FF98B48F8C4131DE4D4A19ADF289589C368
                                                                                                              Function 00007FF758D32030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3204A
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32065
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32080
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3209B
                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D320B6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strncmp
                                                                                                              • String ID: http$rist$srt$tcp$udp
                                                                                                              • API String ID: 1114863663-504309389
                                                                                                              • Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                                                              • Instruction ID: 14ff24bf5c9b4a0cdc957a4baeb29d24d2782ed9991936467a297def166f6af4
                                                                                                              • Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                                                              • Instruction Fuzzy Hash: 2501F794B1471B82FB616B22E480624E3B4AF4DBD6FC85039C90D4B290DF2DE64DC738
                                                                                                              Function 00007FF758D32160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2918620995-0
                                                                                                              • Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                                                              • Instruction ID: e17c5e73a4510d6118c19437968f153db7d1fd36626ae609f4ae96445ac605e5
                                                                                                              • Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                                                              • Instruction Fuzzy Hash: 39418636A08B8582D611EF25E5403ADE7A0FB99BD8F880031EF8D17B5ACF3CD1948714
                                                                                                              Function 00007FF758D335E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                                                                              • String ID:
                                                                                                              • API String ID: 1184979102-0
                                                                                                              • Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                                                              • Instruction ID: d7d45d513ba242fc8e495270b00f393c622225a2fa7d0f8b21ed3d395bd08985
                                                                                                              • Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                                                              • Instruction Fuzzy Hash: 40312B61A0874A43FA18BB29E6513B9D2D1AF5D784FCC4034EE0D472E3DE2CE84C8638
                                                                                                              Function 00007FF758D32370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • avcodec_free_context.AVCODEC-60 ref: 00007FF758D32388
                                                                                                              • avformat_free_context.AVFORMAT-60 ref: 00007FF758D323CC
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3204A
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32065
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D32080
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D3209B
                                                                                                                • Part of subcall function 00007FF758D32030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF758D323A2), ref: 00007FF758D320B6
                                                                                                              • av_free.AVUTIL-58 ref: 00007FF758D323B1
                                                                                                              • avio_context_free.AVFORMAT-60 ref: 00007FF758D323BD
                                                                                                              • avio_close.AVFORMAT-60 ref: 00007FF758D323C4
                                                                                                              • avcodec_free_context.AVCODEC-60 ref: 00007FF758D32402
                                                                                                              • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF758D32415
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
                                                                                                              • String ID:
                                                                                                              • API String ID: 1086289117-0
                                                                                                              • Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                                                              • Instruction ID: 1a4ff981aa32add6c1a5a69bf2ef90b41352877c72d719fd4a457ae493d28145
                                                                                                              • Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                                                              • Instruction Fuzzy Hash: 4B215022E0575A83EB10BF25E49167CE3E0FB4CF89F895536EA4D47655CF38D44A8324
                                                                                                              Function 00007FF758D32990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • avformat_new_stream.AVFORMAT-60(?,?,?,00007FF758D312F1), ref: 00007FF758D329AD
                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF758D312F1), ref: 00007FF758D329C0
                                                                                                              • fprintf.MSPDB140-MSVCRT ref: 00007FF758D329D3
                                                                                                                • Part of subcall function 00007FF758D32320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF758D329D8,?,?,?,00007FF758D312F1), ref: 00007FF758D32357
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1872326580.00007FF758D31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF758D30000, based on PE: true
                                                                                                              • Associated: 0000000A.00000002.1872300858.00007FF758D30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872353250.00007FF758D35000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872437048.00007FF758D36000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 0000000A.00000002.1872460103.00007FF758D39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff758d30000_obs-ffmpeg-mux.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
                                                                                                              • String ID: Couldn't create stream for encoder '%s'
                                                                                                              • API String ID: 306180413-3485626053
                                                                                                              • Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                                                              • Instruction ID: d091a5d3dadd76457c9d348ab011fb67232323605ddb67e0cda5f153e62e5620
                                                                                                              • Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                                                              • Instruction Fuzzy Hash: E4F06D32A19B8582EA44DB16F451069F7A0FB8CBD0B8C9035EE4D03719DE3CD555CB04