Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
u1XWB0BIju.msi

Overview

General Information

Sample name:u1XWB0BIju.msi
renamed because original name is a hash value
Original sample name:4274b7541835d424a306f05fad2fcc8dc596d7d6dbebbb05c1246eb49f88c2a0.msi
Analysis ID:1584950
MD5:5b9d5851602b98c84c44c08e8112c42c
SHA1:1f84dd588066bb9cff409e9caf9f7f87b690279a
SHA256:4274b7541835d424a306f05fad2fcc8dc596d7d6dbebbb05c1246eb49f88c2a0
Tags:LegionLoadermsipalmsizehelis-comRobotDropperuser-johnk3r
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7520 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\u1XWB0BIju.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7556 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7840 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • obs-ffmpeg-mux.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Script Interpreter Execution From Suspicious Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7840, ProcessName: powershell.exe
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7840, ProcessName: powershell.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7840, ProcessName: powershell.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.112.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
    Sigma detected: Suspicious MsiExec Embedding Parent
    Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7840, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7840, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-06T20:22:14.355999+010028292021A Network Trojan was detected192.168.2.449730104.21.112.1443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://palmsizehelis.com/updater2.phpAvira URL Cloud: Label: malware
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.1% probability
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1829682535.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: u1XWB0BIju.msi, MSI8493.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1831668888.00007FF6DBB65000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1829682535.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: u1XWB0BIju.msi, MSI8493.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: u1XWB0BIju.msi, MSI8454.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.112.1:443
    Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: palmsizehelis.com
    Source: unknownHTTP traffic detected: POST /updater2.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: palmsizehelis.comContent-Length: 71Cache-Control: no-cache
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: powershell.exe, 00000003.00000002.1785703430.0000000006DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: powershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://schemas.micj
    Source: powershell.exe, 00000003.00000002.1782483350.0000000004551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1785434393.0000000006D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: powershell.exe, 00000003.00000002.1782483350.0000000004551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
    Source: powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1782483350.0000000004D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: https://palmsizehelis.com/updater2.phpx
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c7acb.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI82F9.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI83F4.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8424.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8454.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8493.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI84E3.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8512.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4FF.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA02.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA03.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c7ace.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c7ace.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI82F9.tmpJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF6DBB62A1010_2_00007FF6DBB62A10
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF6DBB62EE010_2_00007FF6DBB62EE0
    Source: avcodec-60.dll.1.drStatic PE information: Number of sections : 13 > 10
    Source: avutil-58.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swresample-4.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: swscale-7.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: zlib.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: avformat-60.dll.1.drStatic PE information: Number of sections : 12 > 10
    Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs u1XWB0BIju.msi
    Source: u1XWB0BIju.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs u1XWB0BIju.msi
    Source: classification engineClassification label: mal76.evad.winMSI@17/88@1/1
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLB285.tmpJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5AD78C816C6A9EAD.TMPJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\u1XWB0BIju.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815BJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: dbgcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: obs.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avcodec-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: avformat-60.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: w32-pthreads.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeSection loaded: vcruntime140.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{66953C33-9A06-4AA2-86BC-B339791EE9DF}Jump to behavior
    Source: u1XWB0BIju.msiStatic file information: File size 60709189 > 1048576
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1829682535.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: ucrtbase.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: u1XWB0BIju.msi, MSI8493.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
    Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000000.1831668888.00007FF6DBB65000.00000002.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmp
    Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1829682535.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: u1XWB0BIju.msi, MSI8493.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: u1XWB0BIju.msi, MSI8454.tmp.1.dr, 4c7acb.msi.1.dr
    Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: u1XWB0BIju.msi, 4c7acb.msi.1.dr
    Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
    Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
    Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
    Source: createdump.exe.1.drStatic PE information: section name: _RDATA
    Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
    Source: avformat-60.dll.1.drStatic PE information: section name: .xdata
    Source: avutil-58.dll.1.drStatic PE information: section name: .xdata
    Source: swresample-4.dll.1.drStatic PE information: section name: .xdata
    Source: swscale-7.dll.1.drStatic PE information: section name: .xdata
    Source: zlib.dll.1.drStatic PE information: section name: .xdata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .rodata
    Source: avcodec-60.dll.1.drStatic PE information: section name: .xdata
    Source: MSIAA03.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI82F9.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI83F4.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI8424.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI8454.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI8493.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI84E3.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI8512.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIA4FF.tmp.1.drStatic PE information: section name: .fptable
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0280BDA2 push esp; ret 3_2_0280BDB3
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8512.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI83F4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8454.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA03.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8424.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI82F9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4FF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI84E3.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8493.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI83F4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI84E3.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8512.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI82F9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8454.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA03.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8493.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4FF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8424.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2495Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1338Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8512.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI82F9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA4FF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI83F4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI84E3.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8454.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAA03.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8493.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8424.tmpJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeAPI coverage: 8.2 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 2495 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep count: 1338 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: 4c7acb.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: u1XWB0BIju.msi, 4c7acb.msi.1.drBinary or memory string: QEMutyU+\
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF745FC2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF745FC2ECC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF745FC2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF745FC2984
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF745FC3074 SetUnhandledExceptionFilter,7_2_00007FF745FC3074
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF745FC2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF745FC2ECC
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF6DBB63E04 SetUnhandledExceptionFilter,10_2_00007FF6DBB63E04
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF6DBB63C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF6DBB63C5C
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF6DBB63774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF6DBB63774

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssaa7a.ps1" -propfile "c:\users\user\appdata\local\temp\msiaa67.txt" -scriptfile "c:\users\user\appdata\local\temp\scraa68.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scraa69.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssaa7a.ps1" -propfile "c:\users\user\appdata\local\temp\msiaa67.txt" -scriptfile "c:\users\user\appdata\local\temp\scraa68.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scraa69.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exeCode function: 7_2_00007FF745FC2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF745FC2DA0

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		1
    Replication Through Removable Media    		1
    Command and Scripting Interpreter    		1
    Windows Service    		1
    Windows Service    		21
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    Scripting    		11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory111
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    DLL Side-Loading    		121
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS121
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584950 Sample: u1XWB0BIju.msi Startdate: 06/01/2025 Architecture: WINDOWS Score: 76 49 palmsizehelis.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 Antivirus detection for URL or domain 2->59 61 AI detected suspicious sample 2->61 63 2 other signatures 2->63 9 msiexec.exe 138 104 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIAA03.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIA4FF.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI8512.tmp, PE32 9->39 dropped 41 51 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 palmsizehelis.com 104.21.112.1, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrAA68.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssAA7A.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiAA67.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 obs-ffmpeg-mux.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    u1XWB0BIju.msi5%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dll3%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dll0%ReversingLabs
    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dll0%ReversingLabs
    C:\Windows\Installer\MSI82F9.tmp0%ReversingLabs
    C:\Windows\Installer\MSI83F4.tmp0%ReversingLabs
    C:\Windows\Installer\MSI8424.tmp0%ReversingLabs
    C:\Windows\Installer\MSI8454.tmp0%ReversingLabs
    C:\Windows\Installer\MSI8493.tmp0%ReversingLabs
    C:\Windows\Installer\MSI84E3.tmp0%ReversingLabs
    C:\Windows\Installer\MSI8512.tmp0%ReversingLabs
    C:\Windows\Installer\MSIA4FF.tmp0%ReversingLabs
    C:\Windows\Installer\MSIAA03.tmp0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://schemas.micj0%Avira URL Cloudsafe
    https://palmsizehelis.com/updater2.phpx0%Avira URL Cloudsafe
    https://palmsizehelis.com/updater2.php100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    palmsizehelis.com
    		104.21.112.1
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://palmsizehelis.com/updater2.phptrue
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1782483350.0000000004551000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crl.microsoftpowershell.exe, 00000003.00000002.1785703430.0000000006DB5000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1785434393.0000000006D42000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000003.00000002.1782483350.0000000004D82000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.1784424541.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.micju1XWB0BIju.msi, 4c7acb.msi.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://palmsizehelis.com/updater2.phpxu1XWB0BIju.msi, 4c7acb.msi.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/winui2/webview2download/Reload():u1XWB0BIju.msi, 4c7acb.msi.1.drfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1782483350.0000000004551000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1782483350.00000000046A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.21.112.1
                                		palmsizehelis.comUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1584950
                                Start date and time:2025-01-06 20:21:13 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 27s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:u1XWB0BIju.msi
                                renamed because original name is a hash value
                                Original Sample Name:4274b7541835d424a306f05fad2fcc8dc596d7d6dbebbb05c1246eb49f88c2a0.msi
                                Detection:MAL
                                Classification:mal76.evad.winMSI@17/88@1/1
                                EGA Information:
                                • Successful, ratio: 33.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 15
                                • Number of non-executed functions: 35
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.12.23.50, 13.107.246.45
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 8144 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: u1XWB0BIju.msi

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:22:14API Interceptor5x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.21.112.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                • beammp.com/phpmyadmin/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                palmsizehelis.comsetup.msiGet hashmaliciousUnknownBrowse
                                • 104.21.32.152

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSZipThis.exeGet hashmaliciousUnknownBrowse
                                • 104.18.2.200
                                https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGNGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                https://scales.mn/file/one-drv11.htmlGet hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                http://click.pstmrk.itGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                http://t.me/hhackplusGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                Drivespan.dllGet hashmaliciousUnknownBrowse
                                • 104.20.3.235
                                https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0Get hashmaliciousUnknownBrowse
                                • 172.66.0.227
                                https://linkedln.contact/ugtxCQqLJUk?in/fuat-kirikci22-46d64297c/Get hashmaliciousUnknownBrowse
                                • 104.18.9.247
                                http://joeschmidtmusic.netGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                https://linkedln.contact/ugtxCQqLJUk?in/fuat-kirikci22-46d64297c/Get hashmaliciousUnknownBrowse
                                • 104.18.9.247

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                • 104.21.112.1
                                2749837485743-7684385786.05.exeGet hashmaliciousNitolBrowse
                                • 104.21.112.1
                                2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
                                • 104.21.112.1
                                drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 104.21.112.1
                                ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                • 104.21.112.1
                                LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                                • 104.21.112.1
                                setup.msiGet hashmaliciousUnknownBrowse
                                • 104.21.112.1
                                drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 104.21.112.1
                                2b687482300.6345827638.08.exeGet hashmaliciousUnknownBrowse
                                • 104.21.112.1

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exesetup.msiGet hashmaliciousUnknownBrowse
                                  setup.msiGet hashmaliciousUnknownBrowse
                                    Setup.msiGet hashmaliciousUnknownBrowse
                                      6a7e35.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          setup.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              setup.msiGet hashmaliciousUnknownBrowse
                                                setup.msiGet hashmaliciousUnknownBrowse
                                                  48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                                    C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                        Setup.msiGet hashmaliciousUnknownBrowse
                                                          6a7e35.msiGet hashmaliciousUnknownBrowse
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                      48.252.190.9.zipGet hashmaliciousUnknownBrowse

                                                                        Created / dropped Files

                                                                        C:\Config.Msi\4c7acd.rbs

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):19996
                                                                        Entropy (8bit):5.834876207327348
                                                                        Encrypted:false
                                                                        SSDEEP:384:wm1pzRdtmXeks76G0uZWbbZBZN01VuD5vokphIMGKvkLMgjfWGI+1bfZ52AkXYA4:wspzRdtmXeks76G0uZWbbZBZN01VuD5k
                                                                        MD5:7F6605DEC3907E2DF1D25BB803B19D6D
                                                                        SHA1:4F987EAC1D4BD4493F183D5DF7E3D3C8654E729C
                                                                        SHA-256:72BD06A0837BBEB08C36222E273271C10100FFFCE6E6E208BAB41AC74693B848
                                                                        SHA-512:8A8A899F44A5939A7B7307323D14A2E700DF54E4EBB63EC1234EF9CB3BF6D386CB5961B393C1EDC45FB41EF027312D5CE1EA7143D30D99A43FB2F2E6A6DDB41A
                                                                        Malicious:false
                                                                        Preview:...@IXOS.@.....@.r&Z.@.....@.....@.....@.....@.....@......&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}..Weisx App..u1XWB0BIju.msi.@.....@.....@.....@......icon_24.exe..&.{327C9D99-2094-4698-BA9F-6725EDBE02DC}.....@.....@.....@.....@.......@.....@.....@.......@......Weisx App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{66953C33-9A06

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1360
                                                                        Entropy (8bit):5.413197223328133
                                                                        Encrypted:false
                                                                        SSDEEP:24:3UWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:EWSU4y4RQmFoUeWmfmZ9tK8NWR823Vbu
                                                                        MD5:4EE98ECBC11472A5F2C270505F6B3879
                                                                        SHA1:8522F7DA43966CA85A15553AB079EE3877350FF3
                                                                        SHA-256:E2BD932F23DB7A52BE4921DB1C3D25BCDC2E9AA6CEEF34D68596CA2A6D97D454
                                                                        SHA-512:D48EDFA575431893A668FED2BC500529D41BF3583C48B8C3080296CAE41F1657B8715A40BFA8565436F31685EC25C0A93903D3E3532426178C9890C16D35BF1D
                                                                        Malicious:false
                                                                        Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfmkyjl4.ovm.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxsibszi.vxa.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\msiAA67.txt

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):100
                                                                        Entropy (8bit):3.0073551160284637
                                                                        Encrypted:false
                                                                        SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                                        MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                                        SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                                        SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                                        SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                                        Malicious:true
                                                                        Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                        C:\Users\user\AppData\Local\Temp\pssAA7A.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):6668
                                                                        Entropy (8bit):3.5127462716425657
                                                                        Encrypted:false
                                                                        SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                        MD5:30C30EF2CB47E35101D13402B5661179
                                                                        SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                        SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                        SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                        Malicious:true
                                                                        Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                        C:\Users\user\AppData\Local\Temp\scrAA68.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):266
                                                                        Entropy (8bit):3.500405439723985
                                                                        Encrypted:false
                                                                        SSDEEP:6:Q1AGYNk79idK3fOlFoulk+KiV64AGIArMTlP1LlG7JidK3falnUOn03AnfGR:Q1F3Kvoq3VFVrMTQNeFUr3ZR
                                                                        MD5:A18EA6E053D5061471852A4151A7D4D0
                                                                        SHA1:AEA460891F599C4484F04A3BC5ACC62E9D5AD9F7
                                                                        SHA-256:C4EF109DD1FEF1A7E4AF385377801EEA0E7936D207EBCEBBE078BAD56FB1F4AB
                                                                        SHA-512:7530E2974622BB6649C895C062C151AC7C496CCC0BDAE4EB53C6F29888FA7B1E184026FBB39DDB5D8741378BEE969DD70B34AC7459F3387D92D21DBCFE28DC9A
                                                                        Malicious:true
                                                                        Preview:..$.s.k.g.i.e.h.g. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.o.i.g.s.e.i.g.j. .=. .[.u.i.n.t.3.2.].(.$.s.k.g.i.e.h.g. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.o.i.g.s.e.i.g.j.

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Installer\{66953C33-9A06-4AA2-86BC-B339791EE9DF}\icon_24.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                        Category:dropped
                                                                        Size (bytes):195906
                                                                        Entropy (8bit):4.669224805215773
                                                                        Encrypted:false
                                                                        SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                                        MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                                        SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                                        SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                                        SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                                        Malicious:false
                                                                        Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\BCUninstaller.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):310928
                                                                        Entropy (8bit):6.001677789306043
                                                                        Encrypted:false
                                                                        SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                        MD5:147B71C906F421AC77F534821F80A0C6
                                                                        SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                        SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                        SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: Setup.msi, Detection: malicious, Browse
                                                                        • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\UnRar.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):506008
                                                                        Entropy (8bit):6.4284173495366845
                                                                        Encrypted:false
                                                                        SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                        MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                        SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                        SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                        SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: Setup.msi, Detection: malicious, Browse
                                                                        • Filename: 6a7e35.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                                        • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12224
                                                                        Entropy (8bit):6.596101286914553
                                                                        Encrypted:false
                                                                        SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                        MD5:919E653868A3D9F0C9865941573025DF
                                                                        SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                        SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                        SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-console-l1-2-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12224
                                                                        Entropy (8bit):6.640081558424349
                                                                        Encrypted:false
                                                                        SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                        MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                        SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                        SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                        SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-datetime-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11712
                                                                        Entropy (8bit):6.6023398138369505
                                                                        Encrypted:false
                                                                        SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                        MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                        SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                        SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                        SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-debug-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.614262942006268
                                                                        Encrypted:false
                                                                        SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                        MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                        SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                        SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                        SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.654155040985372
                                                                        Encrypted:false
                                                                        SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                        MD5:94788729C9E7B9C888F4E323A27AB548
                                                                        SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                        SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                        SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15304
                                                                        Entropy (8bit):6.548897063441128
                                                                        Encrypted:false
                                                                        SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                        MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                        SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                        SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                        SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l1-2-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11712
                                                                        Entropy (8bit):6.622041192039296
                                                                        Encrypted:false
                                                                        SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                        MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                        SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                        SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                        SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-file-l2-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.730719514840594
                                                                        Encrypted:false
                                                                        SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                        MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                        SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                        SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                        SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-handle-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.626458901834476
                                                                        Encrypted:false
                                                                        SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                        MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                        SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                        SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                        SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-heap-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12232
                                                                        Entropy (8bit):6.577869728469469
                                                                        Encrypted:false
                                                                        SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                        MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                        SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                        SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                        SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-interlocked-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11712
                                                                        Entropy (8bit):6.6496318655699795
                                                                        Encrypted:false
                                                                        SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                        MD5:A038716D7BBD490378B26642C0C18E94
                                                                        SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                        SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                        SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12736
                                                                        Entropy (8bit):6.587452239016064
                                                                        Encrypted:false
                                                                        SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                        MD5:D75144FCB3897425A855A270331E38C9
                                                                        SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                        SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                        SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-localization-l1-2-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):14280
                                                                        Entropy (8bit):6.658205945107734
                                                                        Encrypted:false
                                                                        SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                        MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                        SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                        SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                        SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-memory-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12224
                                                                        Entropy (8bit):6.621310788423453
                                                                        Encrypted:false
                                                                        SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                        MD5:808F1CB8F155E871A33D85510A360E9E
                                                                        SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                        SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                        SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.7263193693903345
                                                                        Encrypted:false
                                                                        SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                        MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                        SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                        SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                        SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12744
                                                                        Entropy (8bit):6.601327134572443
                                                                        Encrypted:false
                                                                        SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                        MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                        SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                        SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                        SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):14272
                                                                        Entropy (8bit):6.519411559704781
                                                                        Encrypted:false
                                                                        SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                        MD5:E173F3AB46096482C4361378F6DCB261
                                                                        SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                        SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                        SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-processthreads-l1-1-1.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12232
                                                                        Entropy (8bit):6.659079053710614
                                                                        Encrypted:false
                                                                        SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                        MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                        SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                        SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                        SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-profile-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11200
                                                                        Entropy (8bit):6.7627840671368835
                                                                        Encrypted:false
                                                                        SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                        MD5:0233F97324AAAA048F705D999244BC71
                                                                        SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                        SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                        SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12224
                                                                        Entropy (8bit):6.590253878523919
                                                                        Encrypted:false
                                                                        SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                        MD5:E1BA66696901CF9B456559861F92786E
                                                                        SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                        SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                        SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-string-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.672720452347989
                                                                        Encrypted:false
                                                                        SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                        MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                        SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                        SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                        SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):13760
                                                                        Entropy (8bit):6.575688560984027
                                                                        Encrypted:false
                                                                        SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                        MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                        SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                        SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                        SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-synch-l1-2-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12232
                                                                        Entropy (8bit):6.70261983917014
                                                                        Encrypted:false
                                                                        SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                        MD5:D175430EFF058838CEE2E334951F6C9C
                                                                        SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                        SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                        SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12744
                                                                        Entropy (8bit):6.599515320379107
                                                                        Encrypted:false
                                                                        SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                        MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                        SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                        SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                        SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-timezone-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12232
                                                                        Entropy (8bit):6.690164913578267
                                                                        Encrypted:false
                                                                        SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                        MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                        SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                        SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                        SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-core-util-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11720
                                                                        Entropy (8bit):6.615761482304143
                                                                        Encrypted:false
                                                                        SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                        MD5:735636096B86B761DA49EF26A1C7F779
                                                                        SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                        SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                        SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-conio-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12744
                                                                        Entropy (8bit):6.627282858694643
                                                                        Encrypted:false
                                                                        SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                        MD5:031DC390780AC08F498E82A5604EF1EB
                                                                        SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                        SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                        SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-convert-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15816
                                                                        Entropy (8bit):6.435326465651674
                                                                        Encrypted:false
                                                                        SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                        MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                        SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                        SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                        SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-environment-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):12232
                                                                        Entropy (8bit):6.5874576656353145
                                                                        Encrypted:false
                                                                        SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                        MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                        SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                        SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                        SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):13768
                                                                        Entropy (8bit):6.645869978118917
                                                                        Encrypted:false
                                                                        SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                        MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                        SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                        SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                        SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avcodec-60.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):37333152
                                                                        Entropy (8bit):6.632921864082428
                                                                        Encrypted:false
                                                                        SSDEEP:393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
                                                                        MD5:32F56F3E644C4AC8C258022C93E62765
                                                                        SHA1:06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
                                                                        SHA-256:85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
                                                                        SHA-512:CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avformat-60.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5100112
                                                                        Entropy (8bit):6.374242928276845
                                                                        Encrypted:false
                                                                        SSDEEP:49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
                                                                        MD5:01589E66D46ABCD9ACB739DA4B542CE4
                                                                        SHA1:6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
                                                                        SHA-256:9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
                                                                        SHA-512:0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\avutil-58.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1089600
                                                                        Entropy (8bit):6.535744457220272
                                                                        Encrypted:false
                                                                        SSDEEP:24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
                                                                        MD5:3AAF57892F2D66F4A4F0575C6194F0F8
                                                                        SHA1:D65C9143603940EDE756D7363AB6750F6B45AB4E
                                                                        SHA-256:9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
                                                                        SHA-512:A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):57488
                                                                        Entropy (8bit):6.382541157520703
                                                                        Encrypted:false
                                                                        SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                        MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                        SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                        SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                        SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\iwhgjds.rar

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:RAR archive data, v5
                                                                        Category:dropped
                                                                        Size (bytes):408254
                                                                        Entropy (8bit):7.999571003706862
                                                                        Encrypted:true
                                                                        SSDEEP:12288:OEQnjoqrzY6hDNK7MBc1Z8yK8XyglEeZ4XFt9AHJLc:bMzhK7Z1Z8yK8Jk72I
                                                                        MD5:68DB1E9D9534C62473DB8D2A2CC9D01F
                                                                        SHA1:192792150206FEF33334605040ABBDA6FB3FBD5A
                                                                        SHA-256:FE865FABA2DB3AB54FACA08345B81FCEF2F0C308E78EAC206D22932BF29AE010
                                                                        SHA-512:9FD8939C18FEB389771CB630533EEB3E797B5BCF81086B7DD63F1DB62CC4042440BF21342AB6C140C15D0EE1E58ACBCC181881DBCBF07EABB81D5A351B95F00C
                                                                        Malicious:false
                                                                        Preview:Rar!........!....../6...U...&Y.3.5?.g..0.y+....._..)".e.j[r...u.s@.N.\......!>x.V....yD.p\{.....S.._>[B.Kg!..'E...LAra..>.....B.....KVd.....z..........V.3!..xr.0....nT......Z..U.....+,.6.8...W.h.^.+5. .*m%..R....p....d.....H[.-......R..@J.gW..p...#....E..:.[....Mg..c..e.:u.........+.E..iI.x...o..$...9dBV43..3...Of.P.......B..Fp.....ec[...M..W3Z.tE..i....-u...e.f..I.>k..E....8.-P...u.Bq.....#y.xQ.5.b..v5.9....-.$..VU...y@.s.....U.Z.ru.c....1.e......31...e.r.CL%.n~....`.....j<x..:.J.....n.J."..M.E...x..W7N..i.u....T....?.Z.<3.....Q..'.n.:5..H.6MV$.].)q=-q.1..~5...c..n..;..=.ij.....|...=......#U...HJ.S...N.U&..o..B.)K$4...k....L..c4j.....(A=.-x.v.*I_0...X.oM....Z.|".m$^.......1n....xI.e..._...c..../S..vG..K5rY.VRI.....B..L.w..pQ..W./.V....8._F..l.aE...E....."2 G.6........>.....\...`.n..tP0(.{...]...6&./1L..0...M.M.....xm.KB......\i&M....5..aZ...[4/.W.V%..h...F.K.c.<u..Td...]..2..~..T8..z.5.D]........r.d...~.Zq_....Sw........C.>3(..*+..MK.KT.

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\msvcp140.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):566704
                                                                        Entropy (8bit):6.494428734965787
                                                                        Encrypted:false
                                                                        SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                        MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                        SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                        SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                        SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):35656
                                                                        Entropy (8bit):6.370522595411868
                                                                        Encrypted:false
                                                                        SSDEEP:768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
                                                                        MD5:D3CAC4D7B35BACAE314F48C374452D71
                                                                        SHA1:95D2980786BC36FEC50733B9843FDE9EAB081918
                                                                        SHA-256:4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
                                                                        SHA-512:21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):22
                                                                        Entropy (8bit):3.879664004902594
                                                                        Encrypted:false
                                                                        SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                        MD5:D9324699E54DC12B3B207C7433E1711C
                                                                        SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                        SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                        SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                        Malicious:false
                                                                        Preview:@echo off..Start "" %1

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swresample-4.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):158968
                                                                        Entropy (8bit):6.4238235663554955
                                                                        Encrypted:false
                                                                        SSDEEP:1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
                                                                        MD5:7FB892E2AC9FF6981B6411FF1F932556
                                                                        SHA1:861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
                                                                        SHA-256:A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
                                                                        SHA-512:986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\swscale-7.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):707200
                                                                        Entropy (8bit):6.610520126248797
                                                                        Encrypted:false
                                                                        SSDEEP:12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
                                                                        MD5:1144E36E0F8F739DB55A7CF9D4E21E1B
                                                                        SHA1:9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
                                                                        SHA-256:65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
                                                                        SHA-512:A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\classes.jsa

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):12124160
                                                                        Entropy (8bit):4.1175508751036585
                                                                        Encrypted:false
                                                                        SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                        MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                        SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                        SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                        SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                        Malicious:false
                                                                        Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.datatransfer.jmod

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Java jmod module version 1.0
                                                                        Category:dropped
                                                                        Size (bytes):51389
                                                                        Entropy (8bit):7.916683616123071
                                                                        Encrypted:false
                                                                        SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                        MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                        SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                        SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                        SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                        Malicious:false
                                                                        Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.instrument.jmod

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Java jmod module version 1.0
                                                                        Category:dropped
                                                                        Size (bytes):41127
                                                                        Entropy (8bit):7.961466748192397
                                                                        Encrypted:false
                                                                        SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                        MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                        SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                        SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                        SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                        Malicious:false
                                                                        Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.logging.jmod

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Java jmod module version 1.0
                                                                        Category:dropped
                                                                        Size (bytes):113725
                                                                        Entropy (8bit):7.928841651831531
                                                                        Encrypted:false
                                                                        SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                        MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                        SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                        SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                        SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                        Malicious:false
                                                                        Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\una_front\java.management.jmod

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Java jmod module version 1.0
                                                                        Category:dropped
                                                                        Size (bytes):896846
                                                                        Entropy (8bit):7.923431656723031
                                                                        Encrypted:false
                                                                        SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                        MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                        SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                        SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                        SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                        Malicious:false
                                                                        Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):639224
                                                                        Entropy (8bit):6.219852228773659
                                                                        Encrypted:false
                                                                        SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                        MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                        SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                        SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                        SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):98224
                                                                        Entropy (8bit):6.452201564717313
                                                                        Encrypted:false
                                                                        SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                        MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                        SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                        SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                        SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140_1.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):37256
                                                                        Entropy (8bit):6.297533243519742
                                                                        Encrypted:false
                                                                        SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                        MD5:135359D350F72AD4BF716B764D39E749
                                                                        SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                        SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                        SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\w32-pthreads.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):53576
                                                                        Entropy (8bit):6.371750593889357
                                                                        Encrypted:false
                                                                        SSDEEP:1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
                                                                        MD5:E1EEBD44F9F4B52229D6E54155876056
                                                                        SHA1:052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
                                                                        SHA-256:D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
                                                                        SHA-512:235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\zlib.dll

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):144200
                                                                        Entropy (8bit):6.592048391646652
                                                                        Encrypted:false
                                                                        SSDEEP:1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
                                                                        MD5:3A0DBC5701D20AA87BE5680111A47662
                                                                        SHA1:BC581374CA1EBE8565DB182AC75FB37413220F03
                                                                        SHA-256:D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
                                                                        SHA-512:4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

                                                                        C:\Windows\Installer\4c7acb.msi

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                        Category:dropped
                                                                        Size (bytes):60709189
                                                                        Entropy (8bit):7.214340259233215
                                                                        Encrypted:false
                                                                        SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                        MD5:5B9D5851602B98C84C44C08E8112C42C
                                                                        SHA1:1F84DD588066BB9CFF409E9CAF9F7F87B690279A
                                                                        SHA-256:4274B7541835D424A306F05FAD2FCC8DC596D7D6DBEBBB05C1246EB49F88C2A0
                                                                        SHA-512:FF25B5DEEAD487177CE2E6C2CA6E17D5881A11C3382201415ECA11DFED643503E081E4E613FA845ADE27DB2CEC4402A3AC056F0E8988C1274F7D34E2BB92020E
                                                                        Malicious:false
                                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                        C:\Windows\Installer\4c7ace.msi

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                        Category:dropped
                                                                        Size (bytes):60709189
                                                                        Entropy (8bit):7.214340259233215
                                                                        Encrypted:false
                                                                        SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                        MD5:5B9D5851602B98C84C44C08E8112C42C
                                                                        SHA1:1F84DD588066BB9CFF409E9CAF9F7F87B690279A
                                                                        SHA-256:4274B7541835D424A306F05FAD2FCC8DC596D7D6DBEBBB05C1246EB49F88C2A0
                                                                        SHA-512:FF25B5DEEAD487177CE2E6C2CA6E17D5881A11C3382201415ECA11DFED643503E081E4E613FA845ADE27DB2CEC4402A3AC056F0E8988C1274F7D34E2BB92020E
                                                                        Malicious:false
                                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                        C:\Windows\Installer\MSI82F9.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI83F4.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI8424.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI8454.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI8493.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1201504
                                                                        Entropy (8bit):6.4557937684843365
                                                                        Encrypted:false
                                                                        SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                        MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                        SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                        SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                        SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI84E3.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSI8512.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1021792
                                                                        Entropy (8bit):6.608727172078022
                                                                        Encrypted:false
                                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSIA4FF.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):380520
                                                                        Entropy (8bit):6.512348002260683
                                                                        Encrypted:false
                                                                        SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                        MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                        SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                        SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                        SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\MSIAA02.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):215284
                                                                        Entropy (8bit):4.945246309296611
                                                                        Encrypted:false
                                                                        SSDEEP:1536:yus9WT71Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykAh:yV9g1Z0vZXJZYDFufyXbJNCcA
                                                                        MD5:84993A8CBFA0F39D394C8395FD5D47AC
                                                                        SHA1:E81C03C2E2085ED44E042D97E75313AD166B7436
                                                                        SHA-256:DC8DEA493299BD5B1DC14863BB8792B1E846A944995303FE8B47D9D8230C0DB1
                                                                        SHA-512:5408D20F710C53C2348E897E01329522BC1E154E833B9975E377A673B1DF1542263B84611ADA12BAFDFBD94D6110764FEF58EFC7C1EDADA52EEC1080EC7AC5D6
                                                                        Malicious:false
                                                                        Preview:...@IXOS.@.....@.r&Z.@.....@.....@.....@.....@.....@......&.{66953C33-9A06-4AA2-86BC-B339791EE9DF}..Weisx App..u1XWB0BIju.msi.@.....@.....@.....@......icon_24.exe..&.{327C9D99-2094-4698-BA9F-6725EDBE02DC}.....@.....@.....@.....@.......@.....@.....@.......@......Weisx App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F};.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}0.21:\Software\Trindo Coorp Sols\Weisx App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}D.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}K.C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\vcruntime140.dll.@.......@.....@.....@......&.{FDDB96EE-847D-4

                                                                        C:\Windows\Installer\MSIAA03.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):787808
                                                                        Entropy (8bit):6.693392695195763
                                                                        Encrypted:false
                                                                        SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                        MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                        SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                        SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                        SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\SourceHash{66953C33-9A06-4AA2-86BC-B339791EE9DF}

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):1.164104007543569
                                                                        Encrypted:false
                                                                        SSDEEP:12:JSbX72FjsNAGiLIlHVRpZh/7777777777777777777777777vDHFBmOn+JnQ7+S6:JyNQI5tD+I+TiF
                                                                        MD5:269772BCEEF37037AFBE54ECA0A0EEB3
                                                                        SHA1:EEE8423FEDAE233F0325271658329B3CF8A8487E
                                                                        SHA-256:6259B56F8C0A6E9FE8CBDF299B235597C5508C53CA5DE1A94D2A56B78FDF406B
                                                                        SHA-512:100A1C2562B73D97F9E9B02C2BF6F4EF49CB64883E40462369C5E8EBA8768D8864637F5028A0F70F7C5E19A5C04EE23D74CDA20E2449C7D3D2AB467B91AF38BD
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):1.5689201611628936
                                                                        Encrypted:false
                                                                        SSDEEP:48:S8PhuuRc06WXJ0FT5+fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:9hu13FTWnECUYXe
                                                                        MD5:0B3B73AB82235BA00C84F07ACB4B70FA
                                                                        SHA1:EE979509CF7F2218BBE2BB430004F9E7A58BDDA1
                                                                        SHA-256:5A7CA6B36038F24784409413F87325D4C182C2F684D86A88F3ADFAF20343CB7C
                                                                        SHA-512:85C5F3F6C94FFB87E5176C2E16871B72C30B5A8330C3CF9B1590E6452E1894A908B930386BBDD8128E75EF35A77B4D4979A427EE65871DE276610390715BFA49
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):432221
                                                                        Entropy (8bit):5.375169921115247
                                                                        Encrypted:false
                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauX:zTtbmkExhMJCIpErC
                                                                        MD5:CAB11611D60CFB360F3F7CCD9FFDB548
                                                                        SHA1:1E8000C8AA9DEE5D70DFF54FCAFC076841FE948F
                                                                        SHA-256:1B0F837542FEFF06993BB8F84B8B041598A23C6507062BCAACB0CF8BDA78F575
                                                                        SHA-512:014748431A829A1D871D9ABD99575A5BAD8E9638D3A464EABCD75DD772BD8601D99F7316A69E0BF5D7B6F7E08F2078537023DBF95DD83E88BC1C61ED50A50CFA
                                                                        Malicious:false
                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                        C:\Windows\Temp\~DF020FDB97490A11B0.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):0.07152843649189178
                                                                        Encrypted:false
                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOQUm2/5n5gJ7kIQ7+PhgVky6lit/:2F0i8n0itFzDHFBmOn+JnQ7+Fit/
                                                                        MD5:F5BBF574CEA8CC8A89BCD272AB2A55C4
                                                                        SHA1:DC981C660C78A5ACBA81B81D4D28F9058A3231BD
                                                                        SHA-256:6914631EEFCB21E4E9C8819280585A3601AE5652C4364E9F7392361740B00B45
                                                                        SHA-512:EA938AE909DA0CC72A0397CA5D4529D5220B6A6153B2C54F688AEDA29248FB6CAE6783EE698359249ED618BDCD97C9214DF6A6EA9DBFF7387800009DA216A12B
                                                                        Malicious:false
                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DF0B232402B0D2CE7E.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):512
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3::
                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                        Malicious:false
                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DF2268F1C747DCD989.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):1.5689201611628936
                                                                        Encrypted:false
                                                                        SSDEEP:48:S8PhuuRc06WXJ0FT5+fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:9hu13FTWnECUYXe
                                                                        MD5:0B3B73AB82235BA00C84F07ACB4B70FA
                                                                        SHA1:EE979509CF7F2218BBE2BB430004F9E7A58BDDA1
                                                                        SHA-256:5A7CA6B36038F24784409413F87325D4C182C2F684D86A88F3ADFAF20343CB7C
                                                                        SHA-512:85C5F3F6C94FFB87E5176C2E16871B72C30B5A8330C3CF9B1590E6452E1894A908B930386BBDD8128E75EF35A77B4D4979A427EE65871DE276610390715BFA49
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DF5AD78C816C6A9EAD.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):73728
                                                                        Entropy (8bit):0.13880250298243643
                                                                        Encrypted:false
                                                                        SSDEEP:48:qk+YTekkSCkhkOAECiCy04SCktoWMUXOg:m7ECUYXO
                                                                        MD5:56DC6C75EE5095C41D3F82F15DED31AE
                                                                        SHA1:C163A2AC42205521E33F40192F427880D56C2F76
                                                                        SHA-256:04D01F19D6D2AA1AD38693DE01DF7A326786B203C1BFA1AE8C349C7F26CA6091
                                                                        SHA-512:0130328E9AC80299CE54C9BB4F1380FEDBA9BB143AA569A792A54DED9F1A4C8EDBE383B299419EF4F5703C4AE5830AC23CF78FE1A82D4AC9787A55FEC33813B9
                                                                        Malicious:false
                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DF9B3B1E0F1BB46043.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):512
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3::
                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                        Malicious:false
                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFAD8B19283D90632F.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):512
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3::
                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                        Malicious:false
                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFB340D0C4CFE7EDCD.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):1.2571775493277133
                                                                        Encrypted:false
                                                                        SSDEEP:48:MXmusrO+CFXJpT5E8fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:CmnIRTu2nECUYXe
                                                                        MD5:525CE4FBA15BB471CBEBB77D8C775078
                                                                        SHA1:F23720DE7188AC355D8C8F1899018D733F86F107
                                                                        SHA-256:B04AB4AF8513161B14978EDE381F728F971925AFA2E0B82B54E273A8D681C7A4
                                                                        SHA-512:5287BD16DE4464997ACCD36E4268E8C2CE0E82ABD642F15747B8C27D94DCF1D1AE5A4DFC4054227E13D2751B0ECE420D4947928D8E82B71CAAE8BBFFF1ECE4A8
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFBF632C55ED952FDC.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):512
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3::
                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                        Malicious:false
                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFCD0F2F08BA6FBE42.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):512
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3::
                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                        Malicious:false
                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFD18CD1B5B2C8BF2A.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):1.5689201611628936
                                                                        Encrypted:false
                                                                        SSDEEP:48:S8PhuuRc06WXJ0FT5+fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:9hu13FTWnECUYXe
                                                                        MD5:0B3B73AB82235BA00C84F07ACB4B70FA
                                                                        SHA1:EE979509CF7F2218BBE2BB430004F9E7A58BDDA1
                                                                        SHA-256:5A7CA6B36038F24784409413F87325D4C182C2F684D86A88F3ADFAF20343CB7C
                                                                        SHA-512:85C5F3F6C94FFB87E5176C2E16871B72C30B5A8330C3CF9B1590E6452E1894A908B930386BBDD8128E75EF35A77B4D4979A427EE65871DE276610390715BFA49
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFE4E5EA3B413F61AE.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):1.2571775493277133
                                                                        Encrypted:false
                                                                        SSDEEP:48:MXmusrO+CFXJpT5E8fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:CmnIRTu2nECUYXe
                                                                        MD5:525CE4FBA15BB471CBEBB77D8C775078
                                                                        SHA1:F23720DE7188AC355D8C8F1899018D733F86F107
                                                                        SHA-256:B04AB4AF8513161B14978EDE381F728F971925AFA2E0B82B54E273A8D681C7A4
                                                                        SHA-512:5287BD16DE4464997ACCD36E4268E8C2CE0E82ABD642F15747B8C27D94DCF1D1AE5A4DFC4054227E13D2751B0ECE420D4947928D8E82B71CAAE8BBFFF1ECE4A8
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\Temp\~DFF6B6F63A03D0D53A.TMP

                                                                        Download File
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):1.2571775493277133
                                                                        Encrypted:false
                                                                        SSDEEP:48:MXmusrO+CFXJpT5E8fSkOAECiCy04SCktoWMUXmkkSCk0TTSk:CmnIRTu2nECUYXe
                                                                        MD5:525CE4FBA15BB471CBEBB77D8C775078
                                                                        SHA1:F23720DE7188AC355D8C8F1899018D733F86F107
                                                                        SHA-256:B04AB4AF8513161B14978EDE381F728F971925AFA2E0B82B54E273A8D681C7A4
                                                                        SHA-512:5287BD16DE4464997ACCD36E4268E8C2CE0E82ABD642F15747B8C27D94DCF1D1AE5A4DFC4054227E13D2751B0ECE420D4947928D8E82B71CAAE8BBFFF1ECE4A8
                                                                        Malicious:false
                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        \Device\ConDrv

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):638
                                                                        Entropy (8bit):4.751962275036146
                                                                        Encrypted:false
                                                                        SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                        MD5:15CA959638E74EEC47E0830B90D0696E
                                                                        SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                        SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                        SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                        Malicious:false
                                                                        Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                        Static File Info

                                                                        General

                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {327C9D99-2094-4698-BA9F-6725EDBE02DC}, Number of Words: 10, Subject: Weisx App, Author: Trindo Coorp Sols, Name of Creating Application: Weisx App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Weisx App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 10:14:07 2025, Last Saved Time/Date: Mon Jan 6 10:14:07 2025, Last Printed: Mon Jan 6 10:14:07 2025, Number of Pages: 450
                                                                        Entropy (8bit):7.214340259233215
                                                                        TrID:
                                                                        • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                        File name:u1XWB0BIju.msi
                                                                        File size:60'709'189 bytes
                                                                        MD5:5b9d5851602b98c84c44c08e8112c42c
                                                                        SHA1:1f84dd588066bb9cff409e9caf9f7f87b690279a
                                                                        SHA256:4274b7541835d424a306f05fad2fcc8dc596d7d6dbebbb05c1246eb49f88c2a0
                                                                        SHA512:ff25b5deead487177ce2e6c2ca6e17d5881a11c3382201415eca11dfed643503e081e4e613fa845ade27db2cec4402a3ac056f0e8988c1274f7d34e2bb92020e
                                                                        SSDEEP:786432:UrBkuVmrjV7eIAtenOTZ6oh7Da123AG1ZUJEAyQhcJ7hRNtq50a:UrlVmrjV7eIvnOTZ6ca491SJ5yu4V4W
                                                                        TLSH:35D76C01B3FA4148F2F75E717EBA85A594BABD521B30C0EF1244A60E1B71BC25BB1763
                                                                        File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:2d2e3797b32b2b99

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-01-06T20:22:14.355999+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.112.1443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 6, 2025 20:22:13.828864098 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:13.828902960 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:13.828963995 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:13.833240032 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:13.833259106 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.310229063 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.310415983 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.351958036 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.351973057 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.352212906 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.352268934 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.355853081 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.355956078 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.355971098 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.795573950 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.795625925 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.795641899 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.795653105 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.795692921 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.796039104 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.796050072 CET44349730104.21.112.1192.168.2.4
                                                                        Jan 6, 2025 20:22:14.796057940 CET49730443192.168.2.4104.21.112.1
                                                                        Jan 6, 2025 20:22:14.796093941 CET49730443192.168.2.4104.21.112.1

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 6, 2025 20:22:13.805969954 CET5409153192.168.2.41.1.1.1
                                                                        Jan 6, 2025 20:22:13.821310043 CET53540911.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 6, 2025 20:22:13.805969954 CET192.168.2.41.1.1.10xaf9bStandard query (0)palmsizehelis.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.112.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.96.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.16.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.32.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.64.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.48.1A (IP address)IN (0x0001)false
                                                                        Jan 6, 2025 20:22:13.821310043 CET1.1.1.1192.168.2.40xaf9bNo error (0)palmsizehelis.com104.21.80.1A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • palmsizehelis.com

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449730104.21.112.14437652C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-06 19:22:14 UTC196OUTPOST /updater2.php HTTP/1.1
                                                                        Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                        User-Agent: AdvancedInstaller
                                                                        Host: palmsizehelis.com
                                                                        Content-Length: 71
                                                                        Cache-Control: no-cache
                                                                        2025-01-06 19:22:14 UTC71OUTData Raw: 44 61 74 65 3d 30 36 25 32 46 30 31 25 32 46 32 30 32 35 26 54 69 6d 65 3d 31 34 25 33 41 32 32 25 33 41 31 32 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                        Data Ascii: Date=06%2F01%2F2025&Time=14%3A22%3A12&BuildVersion=8.9.9&SoroqVins=True
                                                                        2025-01-06 19:22:14 UTC835INHTTP/1.1 500 Internal Server Error
                                                                        Date: Mon, 06 Jan 2025 19:22:14 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Cache-Control: no-store
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nspma0h%2FQwE0VbsAxufEPH4xb6pgZAnXvWck1kt6IiEbwPpd9Xv6CcP5XeqZX7M5x7DmIl5GwJFTTVwdajMJdNedUn6H7Y5ERF%2FHyi4Ke9ylSl2PRuEjjyQeyI2xIn0wDTuhjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8fde13600ff8727b-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1940&rtt_var=750&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=927&delivery_rate=1438423&cwnd=234&unsent_bytes=0&cid=27b539b8b512cca3&ts=499&x=0"
                                                                        2025-01-06 19:22:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:14:22:01
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\u1XWB0BIju.msi"
                                                                        Imagebase:0x7ff6f3f50000
                                                                        File size:69'632 bytes
                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:14:22:01
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                        Imagebase:0x7ff6f3f50000
                                                                        File size:69'632 bytes
                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:14:22:04
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BCF536C01B3B5FF4437C62D33C06815B
                                                                        Imagebase:0xb0000
                                                                        File size:59'904 bytes
                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:14:22:14
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssAA7A.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiAA67.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrAA68.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrAA69.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                        Imagebase:0x650000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:14:22:14
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\suriqk.bat" "C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe""
                                                                        Imagebase:0x7ff727e90000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\createdump.exe"
                                                                        Imagebase:0x7ff745fc0000
                                                                        File size:57'488 bytes
                                                                        MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\Trindo Coorp Sols\Weisx App\obs-ffmpeg-mux.exe"
                                                                        Imagebase:0x7ff6dbb60000
                                                                        File size:35'656 bytes
                                                                        MD5 hash:D3CAC4D7B35BACAE314F48C374452D71
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:14:22:20
                                                                        Start date:06/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 06FB1B50 Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $^q$$^q$$^q
                                                                          • API String ID: 0-831282457
                                                                          • Opcode ID: 7035e6ad5b5d928161191a29edd2f66d57e886f66b811efd3482fcd520d237a4
                                                                          • Instruction ID: 6e3202cc550a97244f848a739de2b83601566c1d46720a3d1382a52888ab3dcc
                                                                          • Opcode Fuzzy Hash: 7035e6ad5b5d928161191a29edd2f66d57e886f66b811efd3482fcd520d237a4
                                                                          • Instruction Fuzzy Hash: 1F610171F042589FDB64DF6AD860AEABBE2AF85210F14C4BAE405CB352DB31CD45C7A1
                                                                          Function 06FB1B34 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $^q$$^q
                                                                          • API String ID: 0-355816377
                                                                          • Opcode ID: f25eb50666c333166457005de1d4a0d7fee7ad3697fde0b61aa6c5b56a3d78c2
                                                                          • Instruction ID: 629a7c7dabc339e86500db7c992fcb416ea950becf5d9fa655ef9cbe7d802fd3
                                                                          • Opcode Fuzzy Hash: f25eb50666c333166457005de1d4a0d7fee7ad3697fde0b61aa6c5b56a3d78c2
                                                                          • Instruction Fuzzy Hash: 91319E71E04209DFDBA8CF1AC5A4AE67BF2EF45261F18D1BAE8058B251D334CD85CB91
                                                                          Function 028036B0 Relevance: .6, Instructions: 622COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a7b6962a5c9dc87a7fbb2186a10d3ededa626b6dced27c81782f18410490bc00
                                                                          • Instruction ID: 89ac2814974f949c36e870fa4ed603c1d3bc089c26fde71ca79ee834e8e5c3b8
                                                                          • Opcode Fuzzy Hash: a7b6962a5c9dc87a7fbb2186a10d3ededa626b6dced27c81782f18410490bc00
                                                                          • Instruction Fuzzy Hash: 4242B078B042459FC755CB28C490BAABBF2BF89304B158599D886CF7A6CB35EC42CB51
                                                                          Function 02808478 Relevance: .3, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 41185e2060417518baea96211086a5303e16287f3b101055c8f18f09d6f6276a
                                                                          • Instruction ID: ad20671cceb75217d5532aad68d98bdc097ab12d9099a1864e3947b7f9d4024c
                                                                          • Opcode Fuzzy Hash: 41185e2060417518baea96211086a5303e16287f3b101055c8f18f09d6f6276a
                                                                          • Instruction Fuzzy Hash: E2A16E39E002488FDB54DFA4D994AADBBB2FF84304F118558D406EF3A9DB34AD89CB44
                                                                          Function 02808BC8 Relevance: .2, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd9c53b05b84959584ea6420f5fadfc62a8b8cc22d28a040eba7b418f062009a
                                                                          • Instruction ID: 6a059c22fdb22daeec39e21f76e3a43b4809824dc988a937d3ae821463b135fa
                                                                          • Opcode Fuzzy Hash: fd9c53b05b84959584ea6420f5fadfc62a8b8cc22d28a040eba7b418f062009a
                                                                          • Instruction Fuzzy Hash: 2671D034A01249CFDB14DF68C884AAEBBF6FF85314F148569E419DB391DB31AC86CB90
                                                                          Function 02808D36 Relevance: .2, Instructions: 188COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dbf12db3435977f04c2babcb68b6c58ecd04c597e39322f6a121b83f16e7887f
                                                                          • Instruction ID: c9b53bab65d1b6f7966991e415391e6bc57dc61ae6a0710336445f11525218af
                                                                          • Opcode Fuzzy Hash: dbf12db3435977f04c2babcb68b6c58ecd04c597e39322f6a121b83f16e7887f
                                                                          • Instruction Fuzzy Hash: 29715C34E012489FDB54DFA4D884BADBBF2BF88304F158529D416AB3A1DB34AC86CF51
                                                                          Function 02808959 Relevance: .1, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c9300e0d1760ca38780bb9882cbd47761d93f0ceee0b4736cd08000e0ba1074d
                                                                          • Instruction ID: c2772a858bcda3e573ca8ecbbbce624401a72745bfe26f1d9402349291601674
                                                                          • Opcode Fuzzy Hash: c9300e0d1760ca38780bb9882cbd47761d93f0ceee0b4736cd08000e0ba1074d
                                                                          • Instruction Fuzzy Hash: 2C51A638A402048FDB14DF24C9A8AAE7BF2EF89754F144569E406EB3A4CF349C81CB50
                                                                          Function 02808BB3 Relevance: .1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4554c22ba9082b37bd26b78e12ef948e9e44e5af48edd69a2204bf98edb09200
                                                                          • Instruction ID: 412473d000155905bb77be139fb0f2cce59ffa5a7d54958bb5d80f1abf87654e
                                                                          • Opcode Fuzzy Hash: 4554c22ba9082b37bd26b78e12ef948e9e44e5af48edd69a2204bf98edb09200
                                                                          • Instruction Fuzzy Hash: 30417C74E002488FDB68DFA9C8947ADBBF2BF85304F158529D406EB394DB74AC85CB80
                                                                          Function 0280BDB8 Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37458bf4e23f9e299434ffc86b64e0714041b2a4c90dd983a0d7cb20c1fe5c5e
                                                                          • Instruction ID: d5899015872a91626473fa131e7405b1bf6bb6096071d4e3378a27bede9b4c98
                                                                          • Opcode Fuzzy Hash: 37458bf4e23f9e299434ffc86b64e0714041b2a4c90dd983a0d7cb20c1fe5c5e
                                                                          • Instruction Fuzzy Hash: BE21F9B8A002099FCB40DF98D9909AEFBF5FF89310B158599E909EB351C735ED41CBA1
                                                                          Function 026ED006 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781093226.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_26ed000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a2dee365bab05f11085a1da5c8c77ba957005c3adbe912fc5506b016084e91c
                                                                          • Instruction ID: 25669c8e05f33d80e04069c139fe38f5d486324601690ebc7d2175a606712672
                                                                          • Opcode Fuzzy Hash: 4a2dee365bab05f11085a1da5c8c77ba957005c3adbe912fc5506b016084e91c
                                                                          • Instruction Fuzzy Hash: 87015E6100E3C09FD7128B258D94B52BFB8EF47224F1DC4CBD9888F2A3C2699849C772
                                                                          Function 026ED01D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781093226.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_26ed000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 32af7c7ddb095f928efbea30298071b1ab10e05fa1dabe7da4ec57595ce27378
                                                                          • Instruction ID: 69b98ababb802d71ec0a2cab4f81bae3e2baf46a96e69ea3d4619a44f1263f8a
                                                                          • Opcode Fuzzy Hash: 32af7c7ddb095f928efbea30298071b1ab10e05fa1dabe7da4ec57595ce27378
                                                                          • Instruction Fuzzy Hash: 94012B3100A380AEEB104E29CD84B67BFDCDF41324F0CC429EC0A0B246C379D882C6B1
                                                                          Function 028088ED Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1781402014.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_2800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ff0918357a6fc581eb71f4857691ca605a150c4933dc6efa54bfa36f25c5af7c
                                                                          • Instruction ID: 4853eab1ea95c3162f7fcd5908fe56744b74ffe8629509d5341458e6fd37f034
                                                                          • Opcode Fuzzy Hash: ff0918357a6fc581eb71f4857691ca605a150c4933dc6efa54bfa36f25c5af7c
                                                                          • Instruction Fuzzy Hash: 72F01C34A4020A8FDB04EBA4D599B6E7BA2AB40344F108818D1069F3A8DB789988CB80

                                                                          Non-executed Functions

                                                                          Function 06FB1658 Relevance: 15.3, Strings: 12, Instructions: 271COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 84Wk$84Wk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Ok$Ok
                                                                          • API String ID: 0-3253000506
                                                                          • Opcode ID: 81887108d60e4bed12387ae77c00dbe54020bc81d2b1cea035cf86bb208d458a
                                                                          • Instruction ID: 61faea136b46ecde98db2bd415236c550abb2a54c01b4201e9ae52a8b89cd3cf
                                                                          • Opcode Fuzzy Hash: 81887108d60e4bed12387ae77c00dbe54020bc81d2b1cea035cf86bb208d458a
                                                                          • Instruction Fuzzy Hash: AD914E31F083449FD755DB6AD8206A6BBE6AF86320B2880ABD545CF392CE31DC05C7A1
                                                                          Function 06FB0898 Relevance: 10.2, Strings: 8, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                          • API String ID: 0-3732357466
                                                                          • Opcode ID: 6bf05d5e92d560cc67b8e83b4d985ae1e015c2fc4033c82f141ce4e410eb4470
                                                                          • Instruction ID: 06b8e3c78be3e17158aea83923644fa48086d6fc62fce66a65b1320aa8276239
                                                                          • Opcode Fuzzy Hash: 6bf05d5e92d560cc67b8e83b4d985ae1e015c2fc4033c82f141ce4e410eb4470
                                                                          • Instruction Fuzzy Hash: 80513736F04309CFEB658A2BD8046EBBBB6AFC5620B24886FD445CB355DE31C945CB91
                                                                          Function 06FB0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4Vk$4Vk$$^q$$^q$$^q
                                                                          • API String ID: 0-529944575
                                                                          • Opcode ID: b5e00f8365127c7e91220e7271ff64678c3b31a7571ee73faf4d32793ba1a59f
                                                                          • Instruction ID: 179b36573676598305a834d2c0954fc1d5aefb7c175815b73a712383d9a1ee66
                                                                          • Opcode Fuzzy Hash: b5e00f8365127c7e91220e7271ff64678c3b31a7571ee73faf4d32793ba1a59f
                                                                          • Instruction Fuzzy Hash: 86115932B102098FE7641A6BA810ABB77C6CFC1650B14843AD506CF396EF36CC46C3B5
                                                                          Function 06FB04D0 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.1786206123.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6fb0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4'^q$4'^q$$^q$$^q
                                                                          • API String ID: 0-2049395529
                                                                          • Opcode ID: 5482808bea7724b783b21abd31edf0e42e3bafe1b301a2473821b8995d0d6117
                                                                          • Instruction ID: a1e55b7f8f0a563710a958009744f7459db48a07b94bb6cc91fa8d1d9cd26185
                                                                          • Opcode Fuzzy Hash: 5482808bea7724b783b21abd31edf0e42e3bafe1b301a2473821b8995d0d6117
                                                                          • Instruction Fuzzy Hash: DC01F931F4D3894FE76A261D18302E76BF25F8255071A04DBC081DF35BCD294D4A83A6

                                                                          Execution Graph

                                                                          Execution Coverage:3.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:1.7%
                                                                          Total number of Nodes:701
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 2489 7ff745fc16a0 2492 7ff745fc3d50 2489->2492 2491 7ff745fc16c7 2493 7ff745fc3d5f free 2492->2493 2494 7ff745fc3d67 2492->2494 2493->2494 2494->2491 2928 7ff745fc5860 2929 7ff745fc43d0 _CreateFrameInfo 10 API calls 2928->2929 2930 7ff745fc58ad 2929->2930 2931 7ff745fc43d0 _CreateFrameInfo 10 API calls 2930->2931 2932 7ff745fc58bb __except_validate_context_record 2931->2932 2933 7ff745fc43d0 _CreateFrameInfo 10 API calls 2932->2933 2934 7ff745fc5914 2933->2934 2935 7ff745fc43d0 _CreateFrameInfo 10 API calls 2934->2935 2936 7ff745fc591d 2935->2936 2937 7ff745fc43d0 _CreateFrameInfo 10 API calls 2936->2937 2938 7ff745fc5926 2937->2938 2957 7ff745fc3b18 2938->2957 2941 7ff745fc43d0 _CreateFrameInfo 10 API calls 2942 7ff745fc5959 2941->2942 2943 7ff745fc5aa9 abort 2942->2943 2944 7ff745fc5991 2942->2944 2945 7ff745fc3b54 11 API calls 2944->2945 2950 7ff745fc5a31 2945->2950 2946 7ff745fc5a5a __GSHandlerCheck_EH 2947 7ff745fc43d0 _CreateFrameInfo 10 API calls 2946->2947 2948 7ff745fc5a6d 2947->2948 2949 7ff745fc43d0 _CreateFrameInfo 10 API calls 2948->2949 2951 7ff745fc5a76 2949->2951 2950->2946 2952 7ff745fc4104 10 API calls 2950->2952 2953 7ff745fc43d0 _CreateFrameInfo 10 API calls 2951->2953 2952->2946 2954 7ff745fc5a7f 2953->2954 2955 7ff745fc43d0 _CreateFrameInfo 10 API calls 2954->2955 2956 7ff745fc5a8e 2955->2956 2958 7ff745fc43d0 _CreateFrameInfo 10 API calls 2957->2958 2959 7ff745fc3b29 2958->2959 2960 7ff745fc43d0 _CreateFrameInfo 10 API calls 2959->2960 2961 7ff745fc3b34 2959->2961 2960->2961 2962 7ff745fc43d0 _CreateFrameInfo 10 API calls 2961->2962 2963 7ff745fc3b45 2962->2963 2963->2941 2963->2942 2964 7ff745fc7260 2965 7ff745fc7280 2964->2965 2966 7ff745fc7273 2964->2966 2967 7ff745fc1e80 _invalid_parameter_noinfo_noreturn 2966->2967 2967->2965 2968 7ff745fc1ce0 2969 7ff745fc2688 5 API calls 2968->2969 2970 7ff745fc1cea gethostname 2969->2970 2971 7ff745fc1da9 WSAGetLastError 2970->2971 2972 7ff745fc1d08 2970->2972 2973 7ff745fc1450 6 API calls 2971->2973 2975 7ff745fc2040 22 API calls 2972->2975 2974 7ff745fc1d76 2973->2974 2976 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2974->2976 2978 7ff745fc18a0 2975->2978 2977 7ff745fc1d87 2976->2977 2978->2974 2979 7ff745fc1dd0 2978->2979 2980 7ff745fc20c0 21 API calls 2978->2980 2981 7ff745fc1450 6 API calls 2979->2981 2980->2978 2981->2974 2982 7ff745fc195f 2983 7ff745fc196d 2982->2983 2983->2983 2984 7ff745fc1ee0 22 API calls 2983->2984 2985 7ff745fc1a23 2983->2985 2984->2985 2986 7ff745fc2230 22 API calls 2985->2986 2987 7ff745fc1a67 BuildCatchObjectHelperInternal 2985->2987 2986->2987 2988 7ff745fc1da2 _invalid_parameter_noinfo_noreturn 2987->2988 2990 7ff745fc18a0 2987->2990 2989 7ff745fc1da9 WSAGetLastError 2988->2989 2991 7ff745fc1450 6 API calls 2989->2991 2993 7ff745fc1d76 2990->2993 2994 7ff745fc1dd0 2990->2994 2996 7ff745fc20c0 21 API calls 2990->2996 2991->2993 2992 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2995 7ff745fc1d87 2992->2995 2993->2992 2997 7ff745fc1450 6 API calls 2994->2997 2996->2990 2997->2993 2495 7ff745fc4024 2502 7ff745fc642c 2495->2502 2498 7ff745fc4031 2514 7ff745fc6714 2502->2514 2505 7ff745fc402d 2505->2498 2507 7ff745fc44ac 2505->2507 2506 7ff745fc6460 __vcrt_uninitialize_locks DeleteCriticalSection 2506->2505 2519 7ff745fc65e8 2507->2519 2515 7ff745fc6498 __vcrt_FlsAlloc 5 API calls 2514->2515 2516 7ff745fc674a 2515->2516 2517 7ff745fc675f InitializeCriticalSectionAndSpinCount 2516->2517 2518 7ff745fc6444 2516->2518 2517->2518 2518->2505 2518->2506 2520 7ff745fc6498 __vcrt_FlsAlloc 5 API calls 2519->2520 2521 7ff745fc660d TlsAlloc 2520->2521 2523 7ff745fc291a 2524 7ff745fc3020 __scrt_is_managed_app GetModuleHandleW 2523->2524 2525 7ff745fc2921 2524->2525 2526 7ff745fc2960 _exit 2525->2526 2527 7ff745fc2925 2525->2527 2528 7ff745fc191a 2529 7ff745fc194d 2528->2529 2531 7ff745fc18a0 2528->2531 2530 7ff745fc20c0 21 API calls 2529->2530 2530->2531 2532 7ff745fc1d76 2531->2532 2534 7ff745fc1dd0 2531->2534 2536 7ff745fc20c0 21 API calls 2531->2536 2533 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2532->2533 2535 7ff745fc1d87 2533->2535 2537 7ff745fc1450 6 API calls 2534->2537 2536->2531 2537->2532 2998 7ff745fc7559 3001 7ff745fc4158 2998->3001 3002 7ff745fc4182 3001->3002 3003 7ff745fc4170 3001->3003 3005 7ff745fc43d0 _CreateFrameInfo 10 API calls 3002->3005 3003->3002 3004 7ff745fc4178 3003->3004 3006 7ff745fc4180 3004->3006 3008 7ff745fc43d0 _CreateFrameInfo 10 API calls 3004->3008 3007 7ff745fc4187 3005->3007 3007->3006 3009 7ff745fc43d0 _CreateFrameInfo 10 API calls 3007->3009 3010 7ff745fc41a7 3008->3010 3009->3006 3011 7ff745fc43d0 _CreateFrameInfo 10 API calls 3010->3011 3012 7ff745fc41b4 terminate 3011->3012 2538 7ff745fc1b18 _time64 2539 7ff745fc1b34 2538->2539 2539->2539 2540 7ff745fc1bf1 2539->2540 2554 7ff745fc1ee0 2539->2554 2543 7ff745fc1c34 BuildCatchObjectHelperInternal 2540->2543 2568 7ff745fc2230 2540->2568 2544 7ff745fc1da2 _invalid_parameter_noinfo_noreturn 2543->2544 2546 7ff745fc18a0 2543->2546 2545 7ff745fc1da9 WSAGetLastError 2544->2545 2547 7ff745fc1450 6 API calls 2545->2547 2549 7ff745fc1d76 2546->2549 2550 7ff745fc1dd0 2546->2550 2552 7ff745fc20c0 21 API calls 2546->2552 2547->2549 2548 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2551 7ff745fc1d87 2548->2551 2549->2548 2553 7ff745fc1450 6 API calls 2550->2553 2552->2546 2553->2549 2558 7ff745fc1f25 2554->2558 2567 7ff745fc1f04 BuildCatchObjectHelperInternal 2554->2567 2555 7ff745fc2031 2556 7ff745fc17e0 21 API calls 2555->2556 2557 7ff745fc2036 2556->2557 2562 7ff745fc1720 Concurrency::cancel_current_task 4 API calls 2557->2562 2558->2555 2560 7ff745fc1f74 2558->2560 2561 7ff745fc1fa9 2558->2561 2559 7ff745fc2690 5 API calls 2566 7ff745fc1f92 BuildCatchObjectHelperInternal 2559->2566 2560->2557 2560->2559 2564 7ff745fc2690 5 API calls 2561->2564 2561->2566 2565 7ff745fc203c 2562->2565 2563 7ff745fc202a _invalid_parameter_noinfo_noreturn 2563->2555 2564->2566 2566->2563 2566->2567 2567->2540 2569 7ff745fc225e 2568->2569 2570 7ff745fc23ab 2568->2570 2571 7ff745fc22be 2569->2571 2575 7ff745fc22b1 2569->2575 2576 7ff745fc22e6 2569->2576 2572 7ff745fc17e0 21 API calls 2570->2572 2574 7ff745fc2690 5 API calls 2571->2574 2573 7ff745fc23b0 2572->2573 2577 7ff745fc1720 Concurrency::cancel_current_task 4 API calls 2573->2577 2578 7ff745fc22cf BuildCatchObjectHelperInternal 2574->2578 2575->2571 2575->2573 2576->2578 2581 7ff745fc2690 5 API calls 2576->2581 2579 7ff745fc23b6 2577->2579 2580 7ff745fc2364 _invalid_parameter_noinfo_noreturn 2578->2580 2582 7ff745fc2357 BuildCatchObjectHelperInternal 2578->2582 2580->2582 2581->2578 2582->2543 3013 7ff745fc7372 3014 7ff745fc43d0 _CreateFrameInfo 10 API calls 3013->3014 3015 7ff745fc7389 3014->3015 3016 7ff745fc43d0 _CreateFrameInfo 10 API calls 3015->3016 3017 7ff745fc73a4 3016->3017 3018 7ff745fc43d0 _CreateFrameInfo 10 API calls 3017->3018 3019 7ff745fc73ad 3018->3019 3020 7ff745fc5414 __GSHandlerCheck_EH 31 API calls 3019->3020 3021 7ff745fc73f3 3020->3021 3022 7ff745fc43d0 _CreateFrameInfo 10 API calls 3021->3022 3023 7ff745fc73f8 3022->3023 2583 7ff745fc7130 2584 7ff745fc7168 __GSHandlerCheckCommon 2583->2584 2585 7ff745fc7194 2584->2585 2587 7ff745fc3c00 2584->2587 2596 7ff745fc43d0 2587->2596 2589 7ff745fc3c42 2590 7ff745fc43d0 _CreateFrameInfo 10 API calls 2589->2590 2591 7ff745fc3c4f 2590->2591 2592 7ff745fc43d0 _CreateFrameInfo 10 API calls 2591->2592 2593 7ff745fc3c58 __GSHandlerCheck_EH 2592->2593 2599 7ff745fc5414 2593->2599 2615 7ff745fc43ec 2596->2615 2598 7ff745fc43d9 2598->2589 2600 7ff745fc5443 __except_validate_context_record 2599->2600 2601 7ff745fc43d0 _CreateFrameInfo 10 API calls 2600->2601 2602 7ff745fc5448 2601->2602 2603 7ff745fc5498 2602->2603 2608 7ff745fc55b2 __GSHandlerCheck_EH 2602->2608 2614 7ff745fc3ca9 2602->2614 2605 7ff745fc559f 2603->2605 2612 7ff745fc54f3 __GSHandlerCheck_EH 2603->2612 2603->2614 2604 7ff745fc55f7 2604->2614 2664 7ff745fc49a4 2604->2664 2657 7ff745fc3678 2605->2657 2608->2604 2608->2614 2661 7ff745fc3bbc 2608->2661 2609 7ff745fc56a2 abort 2611 7ff745fc5543 2633 7ff745fc5cf0 2611->2633 2612->2609 2612->2611 2614->2585 2616 7ff745fc4404 2615->2616 2617 7ff745fc440b GetLastError 2615->2617 2616->2598 2629 7ff745fc6678 2617->2629 2630 7ff745fc6498 __vcrt_FlsAlloc 5 API calls 2629->2630 2631 7ff745fc669f TlsGetValue 2630->2631 2717 7ff745fc3ba8 2633->2717 2635 7ff745fc5d40 __GSHandlerCheck_EH 2636 7ff745fc5d72 2635->2636 2637 7ff745fc5d5b 2635->2637 2638 7ff745fc43d0 _CreateFrameInfo 10 API calls 2636->2638 2639 7ff745fc43d0 _CreateFrameInfo 10 API calls 2637->2639 2640 7ff745fc5d77 2638->2640 2641 7ff745fc5d60 2639->2641 2642 7ff745fc5d6a 2640->2642 2644 7ff745fc43d0 _CreateFrameInfo 10 API calls 2640->2644 2641->2642 2643 7ff745fc5fd0 abort 2641->2643 2645 7ff745fc43d0 _CreateFrameInfo 10 API calls 2642->2645 2646 7ff745fc5d82 2644->2646 2647 7ff745fc5d96 __GSHandlerCheck_EH 2645->2647 2648 7ff745fc43d0 _CreateFrameInfo 10 API calls 2646->2648 2649 7ff745fc5f92 2647->2649 2720 7ff745fc3bd0 2647->2720 2648->2642 2650 7ff745fc43d0 _CreateFrameInfo 10 API calls 2649->2650 2651 7ff745fc5f97 2650->2651 2652 7ff745fc5fa2 2651->2652 2653 7ff745fc43d0 _CreateFrameInfo 10 API calls 2651->2653 2654 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2652->2654 2653->2652 2655 7ff745fc5fb5 2654->2655 2655->2614 2658 7ff745fc368a 2657->2658 2659 7ff745fc5cf0 __GSHandlerCheck_EH 19 API calls 2658->2659 2660 7ff745fc36a5 2659->2660 2660->2614 2662 7ff745fc43d0 _CreateFrameInfo 10 API calls 2661->2662 2663 7ff745fc3bc5 2662->2663 2663->2604 2665 7ff745fc4a01 __GSHandlerCheck_EH 2664->2665 2666 7ff745fc4a20 2665->2666 2667 7ff745fc4a09 2665->2667 2669 7ff745fc43d0 _CreateFrameInfo 10 API calls 2666->2669 2668 7ff745fc43d0 _CreateFrameInfo 10 API calls 2667->2668 2677 7ff745fc4a0e 2668->2677 2670 7ff745fc4a25 2669->2670 2672 7ff745fc43d0 _CreateFrameInfo 10 API calls 2670->2672 2670->2677 2671 7ff745fc4e99 abort 2673 7ff745fc4a30 2672->2673 2674 7ff745fc43d0 _CreateFrameInfo 10 API calls 2673->2674 2674->2677 2675 7ff745fc4def 2675->2671 2679 7ff745fc4ded 2675->2679 2759 7ff745fc4ea0 2675->2759 2676 7ff745fc4b54 __GSHandlerCheck_EH 2676->2675 2704 7ff745fc4b90 __GSHandlerCheck_EH 2676->2704 2677->2671 2677->2676 2678 7ff745fc43d0 _CreateFrameInfo 10 API calls 2677->2678 2681 7ff745fc4ac0 2678->2681 2680 7ff745fc43d0 _CreateFrameInfo 10 API calls 2679->2680 2683 7ff745fc4e30 2680->2683 2685 7ff745fc4e37 2681->2685 2687 7ff745fc43d0 _CreateFrameInfo 10 API calls 2681->2687 2683->2671 2683->2685 2684 7ff745fc4dd4 __GSHandlerCheck_EH 2684->2679 2692 7ff745fc4e81 2684->2692 2686 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2685->2686 2688 7ff745fc4e43 2686->2688 2689 7ff745fc4ad0 2687->2689 2688->2614 2690 7ff745fc43d0 _CreateFrameInfo 10 API calls 2689->2690 2691 7ff745fc4ad9 2690->2691 2723 7ff745fc3be8 2691->2723 2693 7ff745fc43d0 _CreateFrameInfo 10 API calls 2692->2693 2695 7ff745fc4e86 2693->2695 2697 7ff745fc43d0 _CreateFrameInfo 10 API calls 2695->2697 2698 7ff745fc4e8f terminate 2697->2698 2698->2671 2699 7ff745fc43d0 _CreateFrameInfo 10 API calls 2700 7ff745fc4b16 2699->2700 2700->2676 2701 7ff745fc43d0 _CreateFrameInfo 10 API calls 2700->2701 2702 7ff745fc4b22 2701->2702 2703 7ff745fc43d0 _CreateFrameInfo 10 API calls 2702->2703 2705 7ff745fc4b2b 2703->2705 2704->2684 2706 7ff745fc3bbc 10 API calls BuildCatchObjectHelperInternal 2704->2706 2737 7ff745fc52d0 2704->2737 2751 7ff745fc48d0 2704->2751 2726 7ff745fc5fd8 2705->2726 2706->2704 2709 7ff745fc4b3f 2733 7ff745fc60c8 2709->2733 2712 7ff745fc4e7b terminate 2712->2692 2714 7ff745fc4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2714->2712 2715 7ff745fc3f84 Concurrency::cancel_current_task 2 API calls 2714->2715 2716 7ff745fc4e7a 2715->2716 2716->2712 2718 7ff745fc43d0 _CreateFrameInfo 10 API calls 2717->2718 2719 7ff745fc3bb1 2718->2719 2719->2635 2721 7ff745fc43d0 _CreateFrameInfo 10 API calls 2720->2721 2722 7ff745fc3bde 2721->2722 2722->2647 2724 7ff745fc43d0 _CreateFrameInfo 10 API calls 2723->2724 2725 7ff745fc3bf6 2724->2725 2725->2671 2725->2699 2727 7ff745fc60bf abort 2726->2727 2729 7ff745fc6003 2726->2729 2728 7ff745fc4b3b 2728->2676 2728->2709 2729->2728 2730 7ff745fc3bbc 10 API calls BuildCatchObjectHelperInternal 2729->2730 2731 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2729->2731 2775 7ff745fc5190 2729->2775 2730->2729 2731->2729 2734 7ff745fc6135 2733->2734 2736 7ff745fc60e5 Is_bad_exception_allowed 2733->2736 2734->2714 2735 7ff745fc3ba8 10 API calls Is_bad_exception_allowed 2735->2736 2736->2734 2736->2735 2738 7ff745fc52fd 2737->2738 2750 7ff745fc538d 2737->2750 2739 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2738->2739 2740 7ff745fc5306 2739->2740 2741 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2740->2741 2742 7ff745fc531f 2740->2742 2740->2750 2741->2742 2743 7ff745fc534c 2742->2743 2744 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2742->2744 2742->2750 2745 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2743->2745 2744->2743 2746 7ff745fc5360 2745->2746 2747 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2746->2747 2749 7ff745fc5379 2746->2749 2746->2750 2747->2749 2748 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2748->2750 2749->2748 2750->2704 2752 7ff745fc490d __GSHandlerCheck_EH 2751->2752 2753 7ff745fc4933 2752->2753 2789 7ff745fc480c 2752->2789 2755 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2753->2755 2756 7ff745fc4945 2755->2756 2798 7ff745fc3838 RtlUnwindEx 2756->2798 2760 7ff745fc4ef4 2759->2760 2761 7ff745fc5169 2759->2761 2763 7ff745fc43d0 _CreateFrameInfo 10 API calls 2760->2763 2762 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2761->2762 2764 7ff745fc5175 2762->2764 2765 7ff745fc4ef9 2763->2765 2764->2679 2766 7ff745fc4f0e EncodePointer 2765->2766 2768 7ff745fc4f60 __GSHandlerCheck_EH 2765->2768 2767 7ff745fc43d0 _CreateFrameInfo 10 API calls 2766->2767 2770 7ff745fc4f1e 2767->2770 2768->2761 2769 7ff745fc5189 abort 2768->2769 2773 7ff745fc4f82 __GSHandlerCheck_EH 2768->2773 2770->2768 2822 7ff745fc34f8 2770->2822 2772 7ff745fc48d0 __GSHandlerCheck_EH 21 API calls 2772->2773 2773->2761 2773->2772 2774 7ff745fc3ba8 10 API calls Is_bad_exception_allowed 2773->2774 2774->2773 2776 7ff745fc51bd 2775->2776 2787 7ff745fc524c 2775->2787 2777 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2776->2777 2778 7ff745fc51c6 2777->2778 2779 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2778->2779 2780 7ff745fc51df 2778->2780 2778->2787 2779->2780 2781 7ff745fc520b 2780->2781 2782 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2780->2782 2780->2787 2783 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2781->2783 2782->2781 2784 7ff745fc521f 2783->2784 2785 7ff745fc5238 2784->2785 2786 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2784->2786 2784->2787 2788 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2785->2788 2786->2785 2787->2729 2788->2787 2790 7ff745fc482f 2789->2790 2801 7ff745fc4608 2790->2801 2792 7ff745fc4840 2793 7ff745fc4881 __AdjustPointer 2792->2793 2795 7ff745fc4845 __AdjustPointer 2792->2795 2794 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2793->2794 2796 7ff745fc4864 BuildCatchObjectHelperInternal 2793->2796 2794->2796 2795->2796 2797 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2795->2797 2796->2753 2797->2796 2799 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2798->2799 2800 7ff745fc394e 2799->2800 2800->2704 2802 7ff745fc4635 2801->2802 2804 7ff745fc463e 2801->2804 2803 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2802->2803 2803->2804 2805 7ff745fc3ba8 Is_bad_exception_allowed 10 API calls 2804->2805 2806 7ff745fc465d 2804->2806 2813 7ff745fc46c2 __AdjustPointer BuildCatchObjectHelperInternal 2804->2813 2805->2806 2807 7ff745fc46aa 2806->2807 2808 7ff745fc46ca 2806->2808 2806->2813 2810 7ff745fc47e9 abort abort 2807->2810 2807->2813 2809 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2808->2809 2812 7ff745fc474a 2808->2812 2808->2813 2809->2812 2811 7ff745fc480c 2810->2811 2814 7ff745fc4608 BuildCatchObjectHelperInternal 10 API calls 2811->2814 2812->2813 2815 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2812->2815 2813->2792 2816 7ff745fc4840 2814->2816 2815->2813 2817 7ff745fc4881 __AdjustPointer 2816->2817 2818 7ff745fc4845 __AdjustPointer 2816->2818 2819 7ff745fc4864 BuildCatchObjectHelperInternal 2817->2819 2820 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2817->2820 2818->2819 2821 7ff745fc3bbc BuildCatchObjectHelperInternal 10 API calls 2818->2821 2819->2792 2820->2819 2821->2819 2823 7ff745fc43d0 _CreateFrameInfo 10 API calls 2822->2823 2824 7ff745fc3524 2823->2824 2824->2768 2825 7ff745fc43b0 2826 7ff745fc43ca 2825->2826 2827 7ff745fc43b9 2825->2827 2827->2826 2828 7ff745fc43c5 free 2827->2828 2828->2826 3024 7ff745fc2970 3027 7ff745fc2da0 3024->3027 3028 7ff745fc2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3027->3028 3029 7ff745fc2979 3027->3029 3028->3029 3037 7ff745fc756f 3038 7ff745fc43d0 _CreateFrameInfo 10 API calls 3037->3038 3039 7ff745fc757d 3038->3039 3040 7ff745fc7588 3039->3040 3041 7ff745fc43d0 _CreateFrameInfo 10 API calls 3039->3041 3041->3040 3042 7ff745fc5f75 3050 7ff745fc5e35 __GSHandlerCheck_EH 3042->3050 3043 7ff745fc5f92 3044 7ff745fc43d0 _CreateFrameInfo 10 API calls 3043->3044 3045 7ff745fc5f97 3044->3045 3046 7ff745fc5fa2 3045->3046 3047 7ff745fc43d0 _CreateFrameInfo 10 API calls 3045->3047 3048 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 3046->3048 3047->3046 3049 7ff745fc5fb5 3048->3049 3050->3043 3051 7ff745fc3bd0 __GSHandlerCheck_EH 10 API calls 3050->3051 3051->3050 2832 7ff745fc74a7 2835 7ff745fc5cc0 2832->2835 2840 7ff745fc5c38 2835->2840 2838 7ff745fc5ce0 2839 7ff745fc43d0 _CreateFrameInfo 10 API calls 2839->2838 2841 7ff745fc5ca3 2840->2841 2842 7ff745fc5c5a 2840->2842 2841->2838 2841->2839 2842->2841 2843 7ff745fc43d0 _CreateFrameInfo 10 API calls 2842->2843 2843->2841 2844 7ff745fc59ad 2845 7ff745fc43d0 _CreateFrameInfo 10 API calls 2844->2845 2846 7ff745fc59ba 2845->2846 2847 7ff745fc43d0 _CreateFrameInfo 10 API calls 2846->2847 2848 7ff745fc59c3 __GSHandlerCheck_EH 2847->2848 2849 7ff745fc5a0a RaiseException 2848->2849 2850 7ff745fc5a29 2849->2850 2863 7ff745fc3b54 2850->2863 2852 7ff745fc5a5a __GSHandlerCheck_EH 2853 7ff745fc43d0 _CreateFrameInfo 10 API calls 2852->2853 2854 7ff745fc5a6d 2853->2854 2855 7ff745fc43d0 _CreateFrameInfo 10 API calls 2854->2855 2857 7ff745fc5a76 2855->2857 2859 7ff745fc43d0 _CreateFrameInfo 10 API calls 2857->2859 2860 7ff745fc5a7f 2859->2860 2861 7ff745fc43d0 _CreateFrameInfo 10 API calls 2860->2861 2862 7ff745fc5a8e 2861->2862 2864 7ff745fc43d0 _CreateFrameInfo 10 API calls 2863->2864 2865 7ff745fc3b66 2864->2865 2866 7ff745fc3ba1 abort 2865->2866 2867 7ff745fc43d0 _CreateFrameInfo 10 API calls 2865->2867 2868 7ff745fc3b71 2867->2868 2868->2866 2869 7ff745fc3b8d 2868->2869 2870 7ff745fc43d0 _CreateFrameInfo 10 API calls 2869->2870 2871 7ff745fc3b92 2870->2871 2871->2852 2872 7ff745fc4104 2871->2872 2873 7ff745fc43d0 _CreateFrameInfo 10 API calls 2872->2873 2874 7ff745fc4112 2873->2874 2874->2852 2243 7ff745fc27ec 2266 7ff745fc2b8c 2243->2266 2246 7ff745fc2943 2306 7ff745fc2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff745fc280d 2249 7ff745fc294d 2247->2249 2255 7ff745fc282b __scrt_release_startup_lock 2247->2255 2250 7ff745fc2ecc 7 API calls 2249->2250 2251 7ff745fc2958 2250->2251 2253 7ff745fc2960 _exit 2251->2253 2252 7ff745fc2850 2254 7ff745fc28d6 _get_initial_narrow_environment __p___argv __p___argc 2272 7ff745fc1060 2254->2272 2255->2252 2255->2254 2259 7ff745fc28ce _register_thread_local_exe_atexit_callback 2255->2259 2259->2254 2261 7ff745fc2903 2262 7ff745fc2908 _cexit 2261->2262 2263 7ff745fc290d 2261->2263 2262->2263 2302 7ff745fc2d20 2263->2302 2313 7ff745fc316c 2266->2313 2269 7ff745fc2805 2269->2246 2269->2247 2270 7ff745fc2bbb __scrt_initialize_crt 2270->2269 2315 7ff745fc404c 2270->2315 2273 7ff745fc1386 2272->2273 2281 7ff745fc10b4 2272->2281 2342 7ff745fc1450 __acrt_iob_func 2273->2342 2275 7ff745fc1399 2300 7ff745fc3020 GetModuleHandleW 2275->2300 2276 7ff745fc1289 2276->2273 2277 7ff745fc129f 2276->2277 2347 7ff745fc2688 2277->2347 2279 7ff745fc1125 strcmp 2279->2281 2280 7ff745fc12a9 2282 7ff745fc1325 2280->2282 2283 7ff745fc12b9 GetTempPathA 2280->2283 2281->2276 2281->2279 2284 7ff745fc1151 strcmp 2281->2284 2292 7ff745fc117d strcmp 2281->2292 2298 7ff745fc1226 strcmp 2281->2298 2356 7ff745fc23c0 2282->2356 2286 7ff745fc12e9 strcat_s 2283->2286 2287 7ff745fc12cb GetLastError 2283->2287 2284->2281 2286->2282 2288 7ff745fc1304 2286->2288 2290 7ff745fc1450 6 API calls 2287->2290 2291 7ff745fc1450 6 API calls 2288->2291 2293 7ff745fc12df GetLastError 2290->2293 2296 7ff745fc1312 2291->2296 2292->2281 2293->2296 2296->2275 2297 7ff745fc1344 __acrt_iob_func fflush __acrt_iob_func fflush 2297->2296 2298->2281 2299 7ff745fc1239 atoi 2298->2299 2299->2281 2301 7ff745fc28ff 2300->2301 2301->2251 2301->2261 2304 7ff745fc2d31 __scrt_initialize_crt 2302->2304 2303 7ff745fc2916 2303->2252 2304->2303 2305 7ff745fc404c __scrt_initialize_crt 7 API calls 2304->2305 2305->2303 2307 7ff745fc2ef2 2306->2307 2308 7ff745fc2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff745fc2f76 2308->2309 2310 7ff745fc2f3a RtlVirtualUnwind 2308->2310 2311 7ff745fc2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2309->2311 2310->2309 2312 7ff745fc2ffa 2311->2312 2312->2249 2314 7ff745fc2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff745fc4054 2315->2316 2317 7ff745fc405e 2315->2317 2321 7ff745fc44f4 2316->2321 2317->2269 2322 7ff745fc4059 2321->2322 2323 7ff745fc4503 2321->2323 2325 7ff745fc6460 2322->2325 2329 7ff745fc6630 2323->2329 2326 7ff745fc648b 2325->2326 2327 7ff745fc648f 2326->2327 2328 7ff745fc646e DeleteCriticalSection 2326->2328 2327->2317 2328->2326 2333 7ff745fc6498 2329->2333 2334 7ff745fc65b2 TlsFree 2333->2334 2339 7ff745fc64dc 2333->2339 2335 7ff745fc650a LoadLibraryExW 2337 7ff745fc6581 2335->2337 2338 7ff745fc652b GetLastError 2335->2338 2336 7ff745fc65a1 GetProcAddress 2336->2334 2337->2336 2340 7ff745fc6598 FreeLibrary 2337->2340 2338->2339 2339->2334 2339->2335 2339->2336 2341 7ff745fc654d LoadLibraryExW 2339->2341 2340->2336 2341->2337 2341->2339 2392 7ff745fc1010 2342->2392 2344 7ff745fc148a __acrt_iob_func 2395 7ff745fc1000 2344->2395 2346 7ff745fc14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff745fc2690 2347->2350 2348 7ff745fc26aa malloc 2349 7ff745fc26b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff745fc26ba 2350->2351 2354 7ff745fc26c5 2351->2354 2397 7ff745fc2b30 2351->2397 2401 7ff745fc1720 2354->2401 2355 7ff745fc26cb 2355->2280 2357 7ff745fc2688 5 API calls 2356->2357 2358 7ff745fc23f5 OpenProcess 2357->2358 2359 7ff745fc2458 K32GetModuleBaseNameA 2358->2359 2360 7ff745fc243b GetLastError 2358->2360 2362 7ff745fc2492 2359->2362 2363 7ff745fc2470 GetLastError 2359->2363 2361 7ff745fc1450 6 API calls 2360->2361 2372 7ff745fc2453 2361->2372 2418 7ff745fc1800 2362->2418 2364 7ff745fc1450 6 API calls 2363->2364 2366 7ff745fc2484 CloseHandle 2364->2366 2366->2372 2368 7ff745fc25b3 CloseHandle 2368->2372 2369 7ff745fc24ae 2371 7ff745fc13c0 6 API calls 2369->2371 2370 7ff745fc25fa 2429 7ff745fc2660 2370->2429 2373 7ff745fc24cf CreateFileA 2371->2373 2372->2370 2374 7ff745fc25f3 _invalid_parameter_noinfo_noreturn 2372->2374 2375 7ff745fc250f GetLastError 2373->2375 2383 7ff745fc2543 2373->2383 2374->2370 2377 7ff745fc1450 6 API calls 2375->2377 2380 7ff745fc2538 CloseHandle 2377->2380 2378 7ff745fc2550 MiniDumpWriteDump 2381 7ff745fc2576 GetLastError 2378->2381 2382 7ff745fc258a CloseHandle CloseHandle 2378->2382 2380->2372 2381->2383 2384 7ff745fc258c 2381->2384 2382->2372 2383->2378 2383->2382 2386 7ff745fc1450 6 API calls 2384->2386 2386->2382 2387 7ff745fc13c0 __acrt_iob_func 2388 7ff745fc1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff745fc13fa __acrt_iob_func 2388->2389 2488 7ff745fc1000 2389->2488 2391 7ff745fc1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2297 2396 7ff745fc1000 2392->2396 2394 7ff745fc1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff745fc2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff745fc3f84 2398->2407 2400 7ff745fc2b4f 2402 7ff745fc172e Concurrency::cancel_current_task 2401->2402 2403 7ff745fc3f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff745fc173f 2403->2404 2412 7ff745fc3cc0 2404->2412 2408 7ff745fc3fc0 RtlPcToFileHeader 2407->2408 2409 7ff745fc3fa3 2407->2409 2410 7ff745fc3fd8 2408->2410 2411 7ff745fc3fe7 RaiseException 2408->2411 2409->2408 2410->2411 2411->2400 2413 7ff745fc3ce1 2412->2413 2414 7ff745fc176d 2412->2414 2413->2414 2415 7ff745fc3cf6 malloc 2413->2415 2414->2355 2416 7ff745fc3d23 free 2415->2416 2417 7ff745fc3d07 2415->2417 2416->2414 2417->2416 2419 7ff745fc1850 2418->2419 2420 7ff745fc1863 WSAStartup 2418->2420 2421 7ff745fc1450 6 API calls 2419->2421 2425 7ff745fc187f 2420->2425 2428 7ff745fc185c 2420->2428 2421->2428 2422 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2423 7ff745fc1d87 2422->2423 2423->2368 2423->2369 2424 7ff745fc1dd0 2427 7ff745fc1450 6 API calls 2424->2427 2425->2424 2425->2428 2438 7ff745fc20c0 2425->2438 2427->2428 2428->2422 2430 7ff745fc2669 2429->2430 2431 7ff745fc1334 2430->2431 2432 7ff745fc29c0 IsProcessorFeaturePresent 2430->2432 2431->2297 2431->2387 2433 7ff745fc29d8 2432->2433 2483 7ff745fc2a94 RtlCaptureContext 2433->2483 2439 7ff745fc20e9 2438->2439 2440 7ff745fc2218 2438->2440 2442 7ff745fc2144 2439->2442 2444 7ff745fc2137 2439->2444 2445 7ff745fc216c 2439->2445 2462 7ff745fc17e0 2440->2462 2453 7ff745fc2690 2442->2453 2443 7ff745fc221d 2447 7ff745fc1720 Concurrency::cancel_current_task 4 API calls 2443->2447 2444->2442 2444->2443 2448 7ff745fc2155 BuildCatchObjectHelperInternal 2445->2448 2449 7ff745fc2690 5 API calls 2445->2449 2450 7ff745fc2223 2447->2450 2451 7ff745fc21e0 _invalid_parameter_noinfo_noreturn 2448->2451 2452 7ff745fc21d3 BuildCatchObjectHelperInternal 2448->2452 2449->2448 2451->2452 2452->2425 2454 7ff745fc26aa malloc 2453->2454 2455 7ff745fc26b4 2454->2455 2456 7ff745fc269b 2454->2456 2455->2448 2456->2454 2457 7ff745fc26ba 2456->2457 2458 7ff745fc26c5 2457->2458 2459 7ff745fc2b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff745fc1720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff745fc26cb 2460->2461 2461->2448 2475 7ff745fc34d4 2462->2475 2480 7ff745fc33f8 2475->2480 2478 7ff745fc3f84 Concurrency::cancel_current_task 2 API calls 2479 7ff745fc34f6 2478->2479 2481 7ff745fc3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff745fc342c 2481->2482 2482->2478 2484 7ff745fc2aae RtlLookupFunctionEntry 2483->2484 2485 7ff745fc2ac4 RtlVirtualUnwind 2484->2485 2486 7ff745fc29eb 2484->2486 2485->2484 2485->2486 2487 7ff745fc2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391 2878 7ff745fc72c0 2879 7ff745fc72e0 2878->2879 2880 7ff745fc72d3 2878->2880 2882 7ff745fc1e80 2880->2882 2883 7ff745fc1e93 2882->2883 2885 7ff745fc1eb7 2882->2885 2884 7ff745fc1ed8 _invalid_parameter_noinfo_noreturn 2883->2884 2883->2885 2885->2879 3052 7ff745fc2700 3053 7ff745fc2710 3052->3053 3065 7ff745fc2bd8 3053->3065 3055 7ff745fc2ecc 7 API calls 3056 7ff745fc27b5 3055->3056 3057 7ff745fc2734 _RTC_Initialize 3063 7ff745fc2797 3057->3063 3073 7ff745fc2e64 InitializeSListHead 3057->3073 3063->3055 3064 7ff745fc27a5 3063->3064 3066 7ff745fc2c1b 3065->3066 3067 7ff745fc2be9 3065->3067 3066->3057 3068 7ff745fc2c58 3067->3068 3071 7ff745fc2bee __scrt_release_startup_lock 3067->3071 3069 7ff745fc2ecc 7 API calls 3068->3069 3070 7ff745fc2c62 3069->3070 3071->3066 3072 7ff745fc2c0b _initialize_onexit_table 3071->3072 3072->3066 2886 7ff745fc1d39 2887 7ff745fc1d40 2886->2887 2887->2887 2891 7ff745fc18a0 2887->2891 2896 7ff745fc2040 2887->2896 2889 7ff745fc1d76 2890 7ff745fc2660 __GSHandlerCheck_EH 8 API calls 2889->2890 2893 7ff745fc1d87 2890->2893 2891->2889 2892 7ff745fc1dd0 2891->2892 2894 7ff745fc20c0 21 API calls 2891->2894 2895 7ff745fc1450 6 API calls 2892->2895 2894->2891 2895->2889 2897 7ff745fc20a2 2896->2897 2900 7ff745fc2063 BuildCatchObjectHelperInternal 2896->2900 2898 7ff745fc2230 22 API calls 2897->2898 2899 7ff745fc20b5 2898->2899 2899->2891 2900->2891 2901 7ff745fc733c _seh_filter_exe 3077 7ff745fc7411 3078 7ff745fc7495 3077->3078 3079 7ff745fc7429 3077->3079 3079->3078 3080 7ff745fc43d0 _CreateFrameInfo 10 API calls 3079->3080 3081 7ff745fc7476 3080->3081 3082 7ff745fc43d0 _CreateFrameInfo 10 API calls 3081->3082 3083 7ff745fc748b terminate 3082->3083 3083->3078 2905 7ff745fc1550 2906 7ff745fc3d50 __std_exception_destroy free 2905->2906 2907 7ff745fc1567 2906->2907 2908 7ff745fc27d0 2912 7ff745fc3074 SetUnhandledExceptionFilter 2908->2912 3094 7ff745fc7090 3095 7ff745fc70d2 __GSHandlerCheckCommon 3094->3095 3096 7ff745fc70fa 3095->3096 3098 7ff745fc3d78 3095->3098 3101 7ff745fc3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 3098->3101 3099 7ff745fc3e99 3099->3096 3100 7ff745fc3e64 RtlUnwindEx 3100->3101 3101->3099 3101->3100 3105 7ff745fc3090 3106 7ff745fc30c4 3105->3106 3107 7ff745fc30a8 3105->3107 3107->3106 3112 7ff745fc41c0 3107->3112 3111 7ff745fc30e2 3113 7ff745fc43d0 _CreateFrameInfo 10 API calls 3112->3113 3114 7ff745fc30d6 3113->3114 3115 7ff745fc41d4 3114->3115 3116 7ff745fc43d0 _CreateFrameInfo 10 API calls 3115->3116 3117 7ff745fc41dd 3116->3117 3117->3111 3118 7ff745fc1510 3119 7ff745fc3cc0 __std_exception_copy 2 API calls 3118->3119 3120 7ff745fc1539 3119->3120 2913 7ff745fc74d6 2914 7ff745fc3b54 11 API calls 2913->2914 2919 7ff745fc74e9 2914->2919 2915 7ff745fc751a __GSHandlerCheck_EH 2916 7ff745fc43d0 _CreateFrameInfo 10 API calls 2915->2916 2917 7ff745fc752e 2916->2917 2918 7ff745fc43d0 _CreateFrameInfo 10 API calls 2917->2918 2920 7ff745fc753b 2918->2920 2919->2915 2921 7ff745fc4104 10 API calls 2919->2921 2922 7ff745fc43d0 _CreateFrameInfo 10 API calls 2920->2922 2921->2915 2923 7ff745fc7548 2922->2923 2924 7ff745fc48c7 abort

                                                                          Executed Functions

                                                                          Function 00007FF745FC1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ff745fc1060-7ff745fc10ae 1 7ff745fc1386-7ff745fc1394 call 7ff745fc1450 0->1 2 7ff745fc10b4-7ff745fc10c6 0->2 5 7ff745fc1399 1->5 4 7ff745fc10d0-7ff745fc10d6 2->4 6 7ff745fc127f-7ff745fc1283 4->6 7 7ff745fc10dc-7ff745fc10df 4->7 8 7ff745fc139e-7ff745fc13b7 5->8 6->4 9 7ff745fc1289-7ff745fc1299 6->9 10 7ff745fc10e1-7ff745fc10e5 7->10 11 7ff745fc10ed 7->11 9->1 12 7ff745fc129f-7ff745fc12b7 call 7ff745fc2688 9->12 10->11 13 7ff745fc10e7-7ff745fc10eb 10->13 14 7ff745fc10f0-7ff745fc10fc 11->14 26 7ff745fc132a-7ff745fc1336 call 7ff745fc23c0 12->26 27 7ff745fc12b9-7ff745fc12c9 GetTempPathA 12->27 13->11 18 7ff745fc1104-7ff745fc110b 13->18 15 7ff745fc1110-7ff745fc1113 14->15 16 7ff745fc10fe-7ff745fc1102 14->16 20 7ff745fc1125-7ff745fc1136 strcmp 15->20 21 7ff745fc1115-7ff745fc1119 15->21 16->14 16->18 19 7ff745fc127b 18->19 19->6 24 7ff745fc1267-7ff745fc126e 20->24 25 7ff745fc113c-7ff745fc113f 20->25 21->20 23 7ff745fc111b-7ff745fc111f 21->23 23->20 23->24 28 7ff745fc1276 24->28 29 7ff745fc1151-7ff745fc1162 strcmp 25->29 30 7ff745fc1141-7ff745fc1145 25->30 42 7ff745fc1346 26->42 43 7ff745fc1338-7ff745fc1344 call 7ff745fc13c0 26->43 32 7ff745fc12e9-7ff745fc1302 strcat_s 27->32 33 7ff745fc12cb-7ff745fc12e7 GetLastError call 7ff745fc1450 GetLastError 27->33 28->19 38 7ff745fc1258-7ff745fc1265 29->38 39 7ff745fc1168-7ff745fc116b 29->39 30->29 36 7ff745fc1147-7ff745fc114b 30->36 34 7ff745fc1325 32->34 35 7ff745fc1304-7ff745fc1312 call 7ff745fc1450 32->35 53 7ff745fc1313-7ff745fc1323 call 7ff745fc2680 33->53 34->26 35->53 36->29 36->38 38->19 44 7ff745fc117d-7ff745fc118e strcmp 39->44 45 7ff745fc116d-7ff745fc1171 39->45 50 7ff745fc134b-7ff745fc1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff745fc2680 42->50 43->50 51 7ff745fc1194-7ff745fc1197 44->51 52 7ff745fc1247-7ff745fc1256 44->52 45->44 49 7ff745fc1173-7ff745fc1177 45->49 49->44 49->52 50->8 57 7ff745fc11a5-7ff745fc11af 51->57 58 7ff745fc1199-7ff745fc119d 51->58 52->28 53->8 61 7ff745fc11b0-7ff745fc11bb 57->61 58->57 60 7ff745fc119f-7ff745fc11a3 58->60 60->57 63 7ff745fc11c3-7ff745fc11d2 60->63 64 7ff745fc11d7-7ff745fc11da 61->64 65 7ff745fc11bd-7ff745fc11c1 61->65 63->28 66 7ff745fc11ec-7ff745fc11f6 64->66 67 7ff745fc11dc-7ff745fc11e0 64->67 65->61 65->63 69 7ff745fc1200-7ff745fc120b 66->69 67->66 68 7ff745fc11e2-7ff745fc11e6 67->68 68->19 68->66 70 7ff745fc1215-7ff745fc1218 69->70 71 7ff745fc120d-7ff745fc1211 69->71 73 7ff745fc1226-7ff745fc1237 strcmp 70->73 74 7ff745fc121a-7ff745fc121e 70->74 71->69 72 7ff745fc1213 71->72 72->19 73->19 75 7ff745fc1239-7ff745fc1245 atoi 73->75 74->73 76 7ff745fc1220-7ff745fc1224 74->76 75->19 76->19 76->73
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                          • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                          • API String ID: 2647627392-2367407095
                                                                          • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                          • Instruction ID: dcdeb1d99eb9810795c18942a35158847b132818884d06c6a5006f51d7627e90
                                                                          • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                          • Instruction Fuzzy Hash: F2A15F61D0C682D5FB63BF20A440AB9E6A4FF46F54F884975CA8E426D5DF3CE464C322
                                                                          Function 00007FF745FC27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                          • String ID:
                                                                          • API String ID: 2308368977-0
                                                                          • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                          • Instruction ID: 09e40f59abf2a7dddf1ae4c79882da5be2374f6061397f192851a1c33c2dba96
                                                                          • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                          • Instruction Fuzzy Hash: C1312B21E4C203C1FB16BBA495513BD9291FF45F84FC45835EA8E4B2E7DF2DA8458272
                                                                          Function 00007FF745FC1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                          • String ID: [createdump]
                                                                          • API String ID: 3735572767-2657508301
                                                                          • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                          • Instruction ID: e82dfa2bb3e1ecb21383a8059a675176373ac2cb04500ae06c7f495ff0e4f1e2
                                                                          • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                          • Instruction Fuzzy Hash: 1901E825A0CB91C2F701BB51F8195AAE364FB84BD1F804939EA8E037A99F3CD555C711

                                                                          Non-executed Functions

                                                                          Function 00007FF745FC2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                          • Instruction ID: 0ca8f8a007ff15bb9d474238ed2a830860bec08b8fac6edd99697f664dc3ff7c
                                                                          • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                          • Instruction Fuzzy Hash: 3231307260DA81C6EB61AF64E8403EDB365FB44B44F84483ADA4E47BD8DF38D548C721
                                                                          Function 00007FF745FC3074 Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                          • Instruction ID: 6c1790ed4d5dbfc9e766f4c1f93f55d34b0cd19ef3102415a486f8b1c47bf8c7
                                                                          • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                          • Instruction Fuzzy Hash: 26A0022298CD12D0FB5ABB10E854171A330FB50B44FC00C32D00E430E49F3DA444C322
                                                                          Function 00007FF745FC23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC242D
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC243B
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1475
                                                                            • Part of subcall function 00007FF745FC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF745FC1485
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1494
                                                                            • Part of subcall function 00007FF745FC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14B3
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14BE
                                                                            • Part of subcall function 00007FF745FC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14C7
                                                                          • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC2466
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC2470
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC2487
                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF745FC25F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                          • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                          • API String ID: 3971781330-1292085346
                                                                          • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                          • Instruction ID: d26c0739825942ff9e30183bec2749b99de5d615ee2e7aa7d08f547de2515df3
                                                                          • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                          • Instruction Fuzzy Hash: 07614031A0CA42C2E721BB55E45067EB762FB85B90FD00934EA9E03AE5DF3DE445D722
                                                                          Function 00007FF745FC49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 177 7ff745fc49a4-7ff745fc4a07 call 7ff745fc4518 180 7ff745fc4a20-7ff745fc4a29 call 7ff745fc43d0 177->180 181 7ff745fc4a09-7ff745fc4a12 call 7ff745fc43d0 177->181 188 7ff745fc4a3f-7ff745fc4a42 180->188 189 7ff745fc4a2b-7ff745fc4a38 call 7ff745fc43d0 * 2 180->189 186 7ff745fc4e99-7ff745fc4e9f abort 181->186 187 7ff745fc4a18-7ff745fc4a1e 181->187 187->188 188->186 190 7ff745fc4a48-7ff745fc4a54 188->190 189->188 192 7ff745fc4a7f 190->192 193 7ff745fc4a56-7ff745fc4a7d 190->193 195 7ff745fc4a81-7ff745fc4a83 192->195 193->195 195->186 197 7ff745fc4a89-7ff745fc4a8f 195->197 199 7ff745fc4a95-7ff745fc4a99 197->199 200 7ff745fc4b59-7ff745fc4b6f call 7ff745fc5724 197->200 199->200 202 7ff745fc4a9f-7ff745fc4aaa 199->202 205 7ff745fc4def-7ff745fc4df3 200->205 206 7ff745fc4b75-7ff745fc4b79 200->206 202->200 204 7ff745fc4ab0-7ff745fc4ab5 202->204 204->200 207 7ff745fc4abb-7ff745fc4ac5 call 7ff745fc43d0 204->207 210 7ff745fc4df5-7ff745fc4dfc 205->210 211 7ff745fc4e2b-7ff745fc4e35 call 7ff745fc43d0 205->211 206->205 208 7ff745fc4b7f-7ff745fc4b8a 206->208 220 7ff745fc4e37-7ff745fc4e56 call 7ff745fc2660 207->220 221 7ff745fc4acb-7ff745fc4af1 call 7ff745fc43d0 * 2 call 7ff745fc3be8 207->221 208->205 213 7ff745fc4b90-7ff745fc4b94 208->213 210->186 215 7ff745fc4e02-7ff745fc4e26 call 7ff745fc4ea0 210->215 211->186 211->220 218 7ff745fc4dd4-7ff745fc4dd8 213->218 219 7ff745fc4b9a-7ff745fc4bd1 call 7ff745fc36d0 213->219 215->211 218->211 223 7ff745fc4dda-7ff745fc4de7 call 7ff745fc3670 218->223 219->218 231 7ff745fc4bd7-7ff745fc4be2 219->231 246 7ff745fc4b11-7ff745fc4b1b call 7ff745fc43d0 221->246 247 7ff745fc4af3-7ff745fc4af7 221->247 234 7ff745fc4e81-7ff745fc4e98 call 7ff745fc43d0 * 2 terminate 223->234 235 7ff745fc4ded 223->235 236 7ff745fc4be6-7ff745fc4bf6 231->236 234->186 235->211 238 7ff745fc4d2f-7ff745fc4dce 236->238 239 7ff745fc4bfc-7ff745fc4c02 236->239 238->218 238->236 239->238 242 7ff745fc4c08-7ff745fc4c31 call 7ff745fc56a8 239->242 242->238 252 7ff745fc4c37-7ff745fc4c7e call 7ff745fc3bbc * 2 242->252 246->200 256 7ff745fc4b1d-7ff745fc4b3d call 7ff745fc43d0 * 2 call 7ff745fc5fd8 246->256 247->246 250 7ff745fc4af9-7ff745fc4b04 247->250 250->246 253 7ff745fc4b06-7ff745fc4b0b 250->253 263 7ff745fc4c80-7ff745fc4ca5 call 7ff745fc3bbc call 7ff745fc52d0 252->263 264 7ff745fc4cba-7ff745fc4cd0 call 7ff745fc5ab0 252->264 253->186 253->246 272 7ff745fc4b3f-7ff745fc4b49 call 7ff745fc60c8 256->272 273 7ff745fc4b54 256->273 280 7ff745fc4cd7-7ff745fc4d26 call 7ff745fc48d0 263->280 281 7ff745fc4ca7-7ff745fc4cb3 263->281 274 7ff745fc4cd2 264->274 275 7ff745fc4d2b 264->275 282 7ff745fc4b4f-7ff745fc4e7a call 7ff745fc4090 call 7ff745fc5838 call 7ff745fc3f84 272->282 283 7ff745fc4e7b-7ff745fc4e80 terminate 272->283 273->200 274->252 275->238 280->275 281->263 285 7ff745fc4cb5 281->285 282->283 283->234 285->264
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 695522112-393685449
                                                                          • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                          • Instruction ID: 5517ecb9c31b156e9ea7579941c421a2b4394eca60bbe79b4326374f3a01b0a8
                                                                          • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                          • Instruction Fuzzy Hash: ABE1AE3290C682CAE722BF64D4843ADB7A0FB44B49F950935DA8D477DADF38E485C712
                                                                          Function 00007FF745FC13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                          • String ID: [createdump]
                                                                          • API String ID: 3735572767-2657508301
                                                                          • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                          • Instruction ID: ef8ab7e7a3ccf0b7e531e20a21e2e3cbbd314ae22d3db5b2b2af6090ef166c79
                                                                          • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                          • Instruction Fuzzy Hash: 6D012831A0CB91C2F701BB50F8185AAA360FB84BD1F804935EA8E037A98F7CD495C751
                                                                          Function 00007FF745FC1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • WSAStartup.WS2_32 ref: 00007FF745FC186C
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1475
                                                                            • Part of subcall function 00007FF745FC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF745FC1485
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1494
                                                                            • Part of subcall function 00007FF745FC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14B3
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14BE
                                                                            • Part of subcall function 00007FF745FC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                          • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                          • API String ID: 3378602911-3973674938
                                                                          • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                          • Instruction ID: eebb0cc54b4a8a83d3f724510c434ccc0d91318707ccab8df58598b2d1b1227b
                                                                          • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                          • Instruction Fuzzy Hash: D231E062E0CA81C6E75ABF559854BFAA761BB45B84FC40832DE8D032D5CF3CE055C721
                                                                          Function 00007FF745FC6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF745FC669F,?,?,?,00007FF745FC441E,?,?,?,00007FF745FC43D9), ref: 00007FF745FC651D
                                                                          • GetLastError.KERNEL32(?,00000000,00007FF745FC669F,?,?,?,00007FF745FC441E,?,?,?,00007FF745FC43D9,?,?,?,?,00007FF745FC3524), ref: 00007FF745FC652B
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00007FF745FC669F,?,?,?,00007FF745FC441E,?,?,?,00007FF745FC43D9,?,?,?,?,00007FF745FC3524), ref: 00007FF745FC6555
                                                                          • FreeLibrary.KERNEL32(?,00000000,00007FF745FC669F,?,?,?,00007FF745FC441E,?,?,?,00007FF745FC43D9,?,?,?,?,00007FF745FC3524), ref: 00007FF745FC659B
                                                                          • GetProcAddress.KERNEL32(?,00000000,00007FF745FC669F,?,?,?,00007FF745FC441E,?,?,?,00007FF745FC43D9,?,?,?,?,00007FF745FC3524), ref: 00007FF745FC65A7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                          • Instruction ID: dac49592ad449845e53c1555686a277c5a4fed7e1905f8597b2850dbdfaaa6f2
                                                                          • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                          • Instruction Fuzzy Hash: 27316D21A1E642D5FF12BB169804579A294BF48FA0FA94E35DD1D467C8EF3CE445C321
                                                                          Function 00007FF745FC1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 360 7ff745fc1b18-7ff745fc1b32 _time64 361 7ff745fc1b80-7ff745fc1ba8 360->361 362 7ff745fc1b34-7ff745fc1b37 360->362 361->361 364 7ff745fc1baa-7ff745fc1bd8 361->364 363 7ff745fc1b40-7ff745fc1b68 362->363 363->363 365 7ff745fc1b6a-7ff745fc1b71 363->365 366 7ff745fc1bfa-7ff745fc1c32 364->366 367 7ff745fc1bda-7ff745fc1bf5 call 7ff745fc1ee0 364->367 365->364 369 7ff745fc1c64-7ff745fc1c78 call 7ff745fc2230 366->369 370 7ff745fc1c34-7ff745fc1c43 366->370 367->366 378 7ff745fc1c7d-7ff745fc1c88 369->378 373 7ff745fc1c45 370->373 374 7ff745fc1c48-7ff745fc1c62 call 7ff745fc68c0 370->374 373->374 374->378 379 7ff745fc1c8a-7ff745fc1c98 378->379 380 7ff745fc1cbb-7ff745fc1cde 378->380 381 7ff745fc1cb3-7ff745fc1cb6 call 7ff745fc2680 379->381 382 7ff745fc1c9a-7ff745fc1cad 379->382 383 7ff745fc1d55-7ff745fc1d70 380->383 381->380 382->381 384 7ff745fc1da2-7ff745fc1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff745fc1450 call 7ff745fc2680 382->384 388 7ff745fc18a0-7ff745fc18a3 383->388 389 7ff745fc1d76 383->389 393 7ff745fc1d78-7ff745fc1da1 call 7ff745fc2660 384->393 391 7ff745fc18a5-7ff745fc18b7 388->391 392 7ff745fc18f3-7ff745fc18fe 388->392 389->393 396 7ff745fc18e2-7ff745fc18ee call 7ff745fc20c0 391->396 397 7ff745fc18b9-7ff745fc18c8 391->397 398 7ff745fc1dd0-7ff745fc1dde call 7ff745fc1450 392->398 399 7ff745fc1904-7ff745fc1915 392->399 396->383 402 7ff745fc18ca 397->402 403 7ff745fc18cd-7ff745fc18dd 397->403 398->393 399->383 402->403 403->383
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: _time64
                                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                          • API String ID: 1670930206-4114407318
                                                                          • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                          • Instruction ID: 2907be9083c24fc5b1a4b7a33388effd17382d388d5fa2430312cca2b598f4be
                                                                          • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                          • Instruction Fuzzy Hash: A851C162A1CB8186EB01EB28D4447EAA7A4FB81BD0F800531EB9D137E9DF3CD055D751
                                                                          Function 00007FF745FC4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointerabort
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 1188231555-2084237596
                                                                          • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                          • Instruction ID: 5b9cfcfbc55b591b0681e3748b99d4737e460a90d16391e442e8ef3f81e604a1
                                                                          • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                          • Instruction Fuzzy Hash: 4291C173A08B82CAE711EB65E8802ADB7B0FB44B88F544539EE8D47794DF38E195C701
                                                                          Function 00007FF745FC5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 459 7ff745fc5414-7ff745fc5461 call 7ff745fc63f4 call 7ff745fc43d0 464 7ff745fc5463-7ff745fc5469 459->464 465 7ff745fc548e-7ff745fc5492 459->465 464->465 466 7ff745fc546b-7ff745fc546e 464->466 467 7ff745fc55b2-7ff745fc55c7 call 7ff745fc5724 465->467 468 7ff745fc5498-7ff745fc549b 465->468 470 7ff745fc5480-7ff745fc5483 466->470 471 7ff745fc5470-7ff745fc5474 466->471 479 7ff745fc55d2-7ff745fc55d8 467->479 480 7ff745fc55c9-7ff745fc55cc 467->480 472 7ff745fc54a1-7ff745fc54d1 468->472 473 7ff745fc5680 468->473 470->465 477 7ff745fc5485-7ff745fc5488 470->477 476 7ff745fc5476-7ff745fc547e 471->476 471->477 472->473 478 7ff745fc54d7-7ff745fc54de 472->478 474 7ff745fc5685-7ff745fc56a1 473->474 476->465 476->470 477->465 477->473 478->473 481 7ff745fc54e4-7ff745fc54e8 478->481 482 7ff745fc55da-7ff745fc55de 479->482 483 7ff745fc5647-7ff745fc567b call 7ff745fc49a4 479->483 480->473 480->479 484 7ff745fc559f-7ff745fc55ad call 7ff745fc3678 481->484 485 7ff745fc54ee-7ff745fc54f1 481->485 482->483 489 7ff745fc55e0-7ff745fc55e7 482->489 483->473 484->473 487 7ff745fc5556-7ff745fc5559 485->487 488 7ff745fc54f3-7ff745fc5508 call 7ff745fc4520 485->488 487->484 494 7ff745fc555b-7ff745fc5563 487->494 497 7ff745fc56a2-7ff745fc56a7 abort 488->497 499 7ff745fc550e-7ff745fc5511 488->499 489->483 493 7ff745fc55e9-7ff745fc55f0 489->493 493->483 496 7ff745fc55f2-7ff745fc5605 call 7ff745fc3bbc 493->496 494->497 498 7ff745fc5569-7ff745fc5593 494->498 496->483 508 7ff745fc5607-7ff745fc5645 496->508 498->497 501 7ff745fc5599-7ff745fc559d 498->501 502 7ff745fc5513-7ff745fc5538 499->502 503 7ff745fc553a-7ff745fc553d 499->503 505 7ff745fc5546-7ff745fc5551 call 7ff745fc5cf0 501->505 502->503 503->497 506 7ff745fc5543 503->506 505->473 506->505 508->474
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __except_validate_context_recordabort
                                                                          • String ID: csm$csm
                                                                          • API String ID: 746414643-3733052814
                                                                          • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                          • Instruction ID: b5b1666795aaba3c2d228d1ecc3ad13f8f12becb8fc1dda9bf81c8b1a358d5e5
                                                                          • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                          • Instruction Fuzzy Hash: 6571B13250C682CAD722BF259450679BBA1FB40F99F848935DA8D4BBC5CF3CE451CB12
                                                                          Function 00007FF745FC195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                          • API String ID: 0-4114407318
                                                                          • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                          • Instruction ID: 29b153498bce9c4c0560cf3b3249ec0f9d6050ba4902330f3c0c37dfbfd9c5cf
                                                                          • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                          • Instruction Fuzzy Hash: 20510432A1CB8586E711EB29E440BAAA7A1FB81BD0F800535EB9D07BE9CF3DD051D751
                                                                          Function 00007FF745FC5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFrameInfo__except_validate_context_record
                                                                          • String ID: csm
                                                                          • API String ID: 2558813199-1018135373
                                                                          • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                          • Instruction ID: e29baace4759c5b9e0e564edb78195be1989b9580357093ee51790d908260105
                                                                          • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                          • Instruction Fuzzy Hash: DA51393261C742C6D725BB16A44426EB7B4FB88F95F540934EA8D07B96CF7CE460CB12
                                                                          Function 00007FF745FC17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00007FF745FC17EB
                                                                          • WSAStartup.WS2_32 ref: 00007FF745FC186C
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1475
                                                                            • Part of subcall function 00007FF745FC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF745FC1485
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC1494
                                                                            • Part of subcall function 00007FF745FC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14B3
                                                                            • Part of subcall function 00007FF745FC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14BE
                                                                            • Part of subcall function 00007FF745FC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF745FC14C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                          • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                          • API String ID: 1412700758-3183687674
                                                                          • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                          • Instruction ID: 0ae1a03df7562060f1173af53f859b3eb464eaddc8a4590b9eb28b6ea7c14181
                                                                          • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                          • Instruction Fuzzy Hash: D5017522A1C981D5F762FF52EC41BAAA750BB49B94F800435EE4D076D5CF3CD496C711
                                                                          Function 00007FF745FC1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastgethostname
                                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                          • API String ID: 3782448640-4114407318
                                                                          • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                          • Instruction ID: adda09da48a09fc37b2b800522efd0aa195bd002a313d8b47cef1cf34baab842
                                                                          • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                          • Instruction Fuzzy Hash: 3211C421A0C542C5F746BB61A8507FAA280FF86FA4F801A35DA9F172D6DF3CD0569361
                                                                          Function 00007FF745FC4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: terminate
                                                                          • String ID: MOC$RCC$csm
                                                                          • API String ID: 1821763600-2671469338
                                                                          • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                          • Instruction ID: a39eb10a396f0016d78e4c1ccb3712f3df91ae7e00ca52d4f86feda677ae0cc7
                                                                          • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                          • Instruction Fuzzy Hash: 76F0AF3691C246C1E32A7F91A14906CB374FF98F4AF895831D788062DACF7CE4A0C623
                                                                          Function 00007FF745FC20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF745FC18EE), ref: 00007FF745FC21E0
                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF745FC221E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                          • String ID: Invalid process id '%d' error %d
                                                                          • API String ID: 73155330-4244389950
                                                                          • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                          • Instruction ID: 85e354d759d02e5224a7a07f0f63d7151d241d1277c24d2f5a43b68774cc79e3
                                                                          • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                          • Instruction Fuzzy Hash: F731CE22B0D782D5EB16BB5595442ADA2A1FB05FD0F980A31DB9D077D5CF7CE0508321
                                                                          Function 00007FF745FC3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF745FC173F), ref: 00007FF745FC3FC8
                                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF745FC173F), ref: 00007FF745FC400E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1839157621.00007FF745FC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF745FC0000, based on PE: true
                                                                          • Associated: 00000007.00000002.1839131882.00007FF745FC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839184027.00007FF745FC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839210535.00007FF745FCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000007.00000002.1839473300.00007FF745FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ff745fc0000_createdump.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                          • Instruction ID: 830ef4ef5a88aa3de84213271895f934133f9fc92ed9de8d044b5b8897deb443
                                                                          • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                          • Instruction Fuzzy Hash: 0B113D3261CB41C2EB25AB15F440269B7A0FB88F84F984A31EE8D07B98DF3DD555C700

                                                                          Non-executed Functions

                                                                          Function 00007FF6DBB62A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
                                                                          • String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
                                                                          • API String ID: 2783795328-2826353358
                                                                          • Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                          • Instruction ID: 22837be63d10760cad5ed0a85f62cf48aab16203783996d6446e0930396f6ddb
                                                                          • Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                                          • Instruction Fuzzy Hash: 75A18121F1AA8695FB14DB21D4513FC6360FB5E788F405137EA4D8B6A9EF2CE9748380
                                                                          Function 00007FF6DBB62EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
                                                                          • String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
                                                                          • API String ID: 4192084208-164389310
                                                                          • Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                          • Instruction ID: 0f5e3b60242601eb7f7f0ce7b513fc1f33a33694039553608a48238edef296af
                                                                          • Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                                          • Instruction Fuzzy Hash: E0E1B322A0AA8586EB20DF65D8507BD77A0FB4EB84F405136DE0D8B768DF3CD965C780
                                                                          Function 00007FF6DBB63C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 313767242-0
                                                                          • Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                          • Instruction ID: 8313755ee90c10a876cc9382add4df34cb42b0d816860dc68a6eea78ead372f3
                                                                          • Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                                          • Instruction Fuzzy Hash: 34318872A0AB8589EB608F64E8507ED7360FB89744F44403ADB4D8BB98DF3CD968C750
                                                                          Function 00007FF6DBB625C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00007FF6DBB62570: printf.MSPDB140-MSVCRT ref: 00007FF6DBB62587
                                                                            • Part of subcall function 00007FF6DBB62530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF6DBB62617,?,?,?,00007FF6DBB61BD6,?,?,?,00007FF6DBB61A02), ref: 00007FF6DBB62552
                                                                          • puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6DBB61BD6,?,?,?,00007FF6DBB61A02), ref: 00007FF6DBB628DF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: atoiprintfputs
                                                                          • String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
                                                                          • API String ID: 3402752964-4246942696
                                                                          • Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                          • Instruction ID: 711a092c535701199f8288fc55c1c3b44408e6637f687d8daa672650faf77cdb
                                                                          • Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                                          • Instruction Fuzzy Hash: 30812C6590A65691FA24DF51AA149FC2391BF0EB90B814033DD4D9F6BDDF3CE92AC380
                                                                          Function 00007FF6DBB61C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
                                                                          • String ID: Error allocating memory for output$Error writing to '%s', %s
                                                                          • API String ID: 2637689336-4070097938
                                                                          • Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                          • Instruction ID: 8086f2b5b56192bfc45e31cc9ec126a216fa274d102c334de27d59e0f5e79c6e
                                                                          • Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                                          • Instruction Fuzzy Hash: 55A16E32A0AA8685E751DF25E4403FD6360FB4EB88F446032DE8D8B76DDF78D9658390
                                                                          Function 00007FF6DBB61A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6DBB61A6D
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6204A
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62065
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62080
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6209B
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB620B6
                                                                          • avformat_network_init.AVFORMAT-60 ref: 00007FF6DBB61A85
                                                                          • av_guess_format.AVFORMAT-60 ref: 00007FF6DBB61AAF
                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6DBB61ABC
                                                                          • fprintf.MSPDB140-MSVCRT ref: 00007FF6DBB61AD0
                                                                          • avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF6DBB61AEC
                                                                          • av_strerror.AVUTIL-58 ref: 00007FF6DBB61B19
                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6DBB61B23
                                                                          • fprintf.MSPDB140-MSVCRT ref: 00007FF6DBB61B38
                                                                            • Part of subcall function 00007FF6DBB62910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6DBB61B4C), ref: 00007FF6DBB62939
                                                                            • Part of subcall function 00007FF6DBB62370: avcodec_free_context.AVCODEC-60 ref: 00007FF6DBB62388
                                                                            • Part of subcall function 00007FF6DBB62370: av_free.AVUTIL-58 ref: 00007FF6DBB623B1
                                                                            • Part of subcall function 00007FF6DBB62370: avio_context_free.AVFORMAT-60 ref: 00007FF6DBB623BD
                                                                            • Part of subcall function 00007FF6DBB62370: avformat_free_context.AVFORMAT-60 ref: 00007FF6DBB623CC
                                                                            • Part of subcall function 00007FF6DBB62370: avcodec_free_context.AVCODEC-60 ref: 00007FF6DBB62402
                                                                            • Part of subcall function 00007FF6DBB62370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6DBB62415
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
                                                                          • String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
                                                                          • API String ID: 3777911973-2524251934
                                                                          • Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                          • Instruction ID: ab766d12227c24cc22ac5df2a25edc8f94173f947f7a1803f60bf122ef5398da
                                                                          • Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                                          • Instruction Fuzzy Hash: 4331A011E1A64642FA109B2594112BD6350BF8FB94F507237E95DCF6BDEF2CEC608780
                                                                          Function 00007FF6DBB614B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
                                                                          • String ID: 2$Couldn't find codec '%s'$E
                                                                          • API String ID: 3726879996-2734579634
                                                                          • Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                          • Instruction ID: fd275c12cd0231c950fa9c24de5b1d0a3dd3e4b021a7a93050a168fac6b58faa
                                                                          • Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                                          • Instruction Fuzzy Hash: D881F5766097848BD754CF15E54035DBBB0F78AB88F10502AEB8C8BB69DF7AD864CB40
                                                                          Function 00007FF6DBB61250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
                                                                          • String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
                                                                          • API String ID: 3715327632-3279048111
                                                                          • Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                          • Instruction ID: 13c32226b179c9907a7b1bacd14d63f0db310f16b0cc7242440012f2ddb1f2fb
                                                                          • Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                                          • Instruction Fuzzy Hash: 6C61AF72606B858ADB08CF16E5903AD7760FB89B94F055036DF4E8B768DF38E465C740
                                                                          Function 00007FF6DBB617A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
                                                                          • String ID:
                                                                          • API String ID: 3736584056-0
                                                                          • Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                          • Instruction ID: e1f5c60f8bb4980a74cfa535ddffe5ae8922f477ec3f8c5a0ca95ad8ff09c3ff
                                                                          • Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                                          • Instruction Fuzzy Hash: 97311F22D1A68281E751DF35C4613BC2360FF9AB48F485132DE4D8E1AEDF29D9A5C390
                                                                          Function 00007FF6DBB62030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6204A
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62065
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62080
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6209B
                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB620B6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: strncmp
                                                                          • String ID: http$rist$srt$tcp$udp
                                                                          • API String ID: 1114863663-504309389
                                                                          • Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                          • Instruction ID: 08a3703df55165b1900049f79635ac3c1edc38e17776e804d3c3b1e318d1505a
                                                                          • Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                                          • Instruction Fuzzy Hash: E501E8A0B1590784FB214F22E44162C1364BB4EB95F845037C90DCB26CDF2DE979C7A0
                                                                          Function 00007FF6DBB62160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
                                                                          • String ID:
                                                                          • API String ID: 2918620995-0
                                                                          • Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                          • Instruction ID: 3e9321c38d61ddfe8612729247e3b51231656f3f771227fdcb0d30c7668283fb
                                                                          • Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                                          • Instruction Fuzzy Hash: 66415332A19A8181D711DF25E5513AD6760FB9ABD8F440033EF8D8BB6ECF38D5A48740
                                                                          Function 00007FF6DBB635E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                                          • String ID:
                                                                          • API String ID: 1184979102-0
                                                                          • Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                          • Instruction ID: b214b36f78c9003350a4a1f26fbbab5290a5fe248f0285a713aa5fa906c89279
                                                                          • Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                                          • Instruction Fuzzy Hash: 92311B61E0E60241EA14AB299452BBD1291BF5FB84F444037EA4DCF2FFDF6CEC248690
                                                                          Function 00007FF6DBB62370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • avcodec_free_context.AVCODEC-60 ref: 00007FF6DBB62388
                                                                          • avformat_free_context.AVFORMAT-60 ref: 00007FF6DBB623CC
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6204A
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62065
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB62080
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB6209B
                                                                            • Part of subcall function 00007FF6DBB62030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6DBB623A2), ref: 00007FF6DBB620B6
                                                                          • av_free.AVUTIL-58 ref: 00007FF6DBB623B1
                                                                          • avio_context_free.AVFORMAT-60 ref: 00007FF6DBB623BD
                                                                          • avio_close.AVFORMAT-60 ref: 00007FF6DBB623C4
                                                                          • avcodec_free_context.AVCODEC-60 ref: 00007FF6DBB62402
                                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6DBB62415
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
                                                                          • String ID:
                                                                          • API String ID: 1086289117-0
                                                                          • Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                          • Instruction ID: 771a0bbdc96e687f3983e6b40ca878dd67f0cefb249a3797d6c66b25bd3f639d
                                                                          • Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                                          • Instruction Fuzzy Hash: C7215032E0A65186FB109F25E45127C63A0FB4EF88F056537DA4D8B26DCF38D8628380
                                                                          Function 00007FF6DBB62990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • avformat_new_stream.AVFORMAT-60(?,?,?,00007FF6DBB612F1), ref: 00007FF6DBB629AD
                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6DBB612F1), ref: 00007FF6DBB629C0
                                                                          • fprintf.MSPDB140-MSVCRT ref: 00007FF6DBB629D3
                                                                            • Part of subcall function 00007FF6DBB62320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF6DBB629D8,?,?,?,00007FF6DBB612F1), ref: 00007FF6DBB62357
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1839190767.00007FF6DBB61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6DBB60000, based on PE: true
                                                                          • Associated: 0000000A.00000002.1839166807.00007FF6DBB60000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839224470.00007FF6DBB65000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1839662646.00007FF6DBB66000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 0000000A.00000002.1840057302.00007FF6DBB69000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff6dbb60000_obs-ffmpeg-mux.jbxd
                                                                          Similarity
                                                                          • API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
                                                                          • String ID: Couldn't create stream for encoder '%s'
                                                                          • API String ID: 306180413-3485626053
                                                                          • Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                          • Instruction ID: b8b9d5d5e7b72dd727ca204473ff0313ab08572ba13dcdbf8f6d24f6abc57862
                                                                          • Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                                          • Instruction Fuzzy Hash: 34F06D32B1AB8081EA48CB16F45106DA7A0FB8DBD0B489036EE4D8776DDF3CD961CB40