Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dropper.exe

Overview

General Information

Sample name:dropper.exe
Analysis ID:1586409
MD5:b86ac1da682dbcf7461084e143b3b1ef
SHA1:89b62f8b5d49330f9f2e56267b05797f0100a0d4
SHA256:b8fb42e30a46967c65fdbcd33e0d301049f3b077043a367ebdc1d89b73e210ed
Infos:

Detection

Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64native
  • dropper.exe (PID: 8776 cmdline: "C:\Users\user\Desktop\dropper.exe" MD5: B86AC1DA682DBCF7461084E143B3B1EF)
    • conhost.exe (PID: 8784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8920 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • winlogon.exe (PID: 884 cmdline: winlogon.exe MD5: A987B43E6A8E8F894B98A3DF022DB518)
      • lsass.exe (PID: 948 cmdline: C:\Windows\system32\lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3)
      • svchost.exe (PID: 568 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: F586835082F632DC8D9404D83BC16316)
      • fontdrvhost.exe (PID: 780 cmdline: "fontdrvhost.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13)
      • fontdrvhost.exe (PID: 688 cmdline: "fontdrvhost.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13)
      • svchost.exe (PID: 1072 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1124 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: F586835082F632DC8D9404D83BC16316)
      • dwm.exe (PID: 1188 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 1276 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1312 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: F586835082F632DC8D9404D83BC16316)
      • IntelCpHDCPSvc.exe (PID: 1444 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe MD5: B6BAD2BD8596D9101874E9042B8E2D63)
      • svchost.exe (PID: 1452 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1484 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1528 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: F586835082F632DC8D9404D83BC16316)
      • igfxCUIService.exe (PID: 1740 cmdline: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe MD5: 91038D45A86B5465E8B7E5CD63187150)
      • svchost.exe (PID: 1748 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: F586835082F632DC8D9404D83BC16316)
      • IntelCpHeciSvc.exe (PID: 1764 cmdline: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe MD5: 3B0DF35583675DE5A08E8D4C1271CEC0)
      • svchost.exe (PID: 1836 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1904 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1404 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2100 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2272 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2392 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2424 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2492 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2588 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2676 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2684 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2692 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: F586835082F632DC8D9404D83BC16316)
      • svchost.exe (PID: 2748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ...;(.....;#...P.;..., EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dropper.exe, ProcessId: 8776, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HADES
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8920, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 568, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: dropper.exeVirustotal: Detection: 9%Perma Link
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC9B240 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF66AC9B240
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBD8F0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,3_2_00000222EDEBD8F0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354D8F0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,3_2_00007FFB8354D8F0
Source: dropper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dropper.pdb source: dropper.exe
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE700.tmp.pdb source: svchost.exe, 00000016.00000000.2109389392.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3757179787.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000016.00000000.2109389392.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dll.pdb source: dropper.exe, 00000000.00000003.1853076006.0000023B96E0A000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1855345368.0000023B96E5C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2090608315.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2039909697.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2083552605.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000003.2026068684.00000222EBD42000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2031358798.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2042760213.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2098812389.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2048330988.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3750948221.00000222EBD2F000.00000004.00000001.00020000.00000000.sdmp, winlogon.exe, 00000007.00000002.3813628605.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, lsass.exe, 00000008.00000002.3826461826.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000009.00000002.3844163668.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000D.00000002.3814968286.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000F.00000002.3807083613.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000011.00000002.3808815257.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHDCPSvc.exe, 00000013.00000002.3794291780.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000015.00000002.3836063413.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000016.00000002.3818227599.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000018.00000002.3805863289.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, igfxCUIService.exe, 00000019.00000002.3798790573.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001A.00000002.3817876240.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHeciSvc.exe, 0000001B.00000002.3794326000.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001F.00000002.3792743055.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000020.00000002.3799581425.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002A.00000002.3842050385.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002B.00000002.3813219112.00007FFB8356D000.00000002.00000001.01
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb @ source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error\ source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: JPDBwinload_prod.pdb source: svchost.exe, 00000016.00000002.3757179787.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dll.pdb' source: dropper.exe, 00000000.00000003.1853076006.0000023B96E0A000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1855345368.0000023B96E5C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2090608315.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2039909697.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2083552605.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000003.2026068684.00000222EBD42000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2031358798.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2042760213.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2098812389.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2048330988.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3750948221.00000222EBD2F000.00000004.00000001.00020000.00000000.sdmp, winlogon.exe, 00000007.00000002.3813628605.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, lsass.exe, 00000008.00000002.3826461826.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000009.00000002.3844163668.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000D.00000002.3814968286.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000F.00000002.3807083613.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000011.00000002.3808815257.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHDCPSvc.exe, 00000013.00000002.3794291780.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000015.00000002.3836063413.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000016.00000002.3818227599.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000018.00000002.3805863289.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, igfxCUIService.exe, 00000019.00000002.3798790573.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001A.00000002.3817876240.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHeciSvc.exe, 0000001B.00000002.3794326000.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001F.00000002.3792743055.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000020.00000002.3799581425.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002A.00000002.3842050385.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002B.00000002.3813219112.00007FFB8356D000.00000002.00000001.0
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000008.00000002.3773759620.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E75000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027018909.000001A6E84AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E79000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026941377.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000008.00000000.2027697280.000001A6E8CF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3795820672.000001A6E8CF6000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lsass.exe, 00000008.00000000.2027697280.000001A6E8CF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3795820672.000001A6E8CF6000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000008.00000002.3773759620.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E75000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027018909.000001A6E84AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E79000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026941377.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: svchost.exe, 00000025.00000000.2159655697.00000257A0C92000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000002.2533532298.00000257A0C92000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000008.00000002.3777903909.000001A6E84BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027075524.000001A6E84BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000017.00000003.2234926204.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2120310368.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2238601579.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-LiveId%4Operational.evtx.23.drString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: dropper.exeString found in binary or memory: http://ns.adobe.
Source: lsass.exe, 00000008.00000002.3773759620.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E75000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027018909.000001A6E84AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028238776.000001A6E8E79000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026941377.000001A6E8471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3804753424.000001A6E8E82000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3797350186.000001A6E8D62000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: svchost.exe, 0000001A.00000002.3782618015.0000019DBEAD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/rameters
Source: lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: lsass.exe, 00000008.00000002.3797350186.000001A6E8DF6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2092329820.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3803426096.000001A6E8E3C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2028140038.000001A6E8E40000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027764996.000001A6E8DF5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2027568351.000001A6E8CBC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.3695078768.000001A6E8E3A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000022.00000002.3785541990.0000020AD3436000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000022.00000000.2150560229.0000020AD345A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
Source: lsass.exe, 00000008.00000000.2027568351.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: svchost.exe, 00000009.00000002.3812866358.0000022294C64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=
Source: dropper.exe, tempdll.dll.0.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: svchost.exe, 0000002A.00000002.3823608251.00000202FAB49000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2178601377.00000202FAB49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
Source: lsass.exe, 00000008.00000000.2027568351.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: svchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
Source: svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
Source: svchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comcom
Source: svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
Source: svchost.exe, 00000009.00000000.2033788197.0000022294C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3814289035.0000022294C69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://spclient.wg.spotify.com/v1/live-tile-xml?region=
Source: svchost.exe, 00000009.00000002.3817114875.0000022294CDF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2034030978.0000022294CDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
Source: svchost.exe, 00000009.00000002.3817114875.0000022294CDF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2034030978.0000022294CDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.drString found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAACGiTEQswVIrEjPiqVsr%2b0hVpCqP3ntPOeOGJWvj%2bkqKtGA
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.drString found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAACX46x%2fpyfGe%2fo5ZavSq9O1DXvytZj%2fkbnyhdan1Sj5EG
Source: svchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
Source: svchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com.com
Source: svchost.exe, 0000002A.00000000.2180951951.00000202FAE4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com.comD
Source: svchost.exe, 0000002A.00000003.3116055886.00000202FA37B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3801479612.00000202FA37D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2175623952.00000202FA343000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3808811185.00000202FA643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2176321257.00000202FA652000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#
Source: svchost.exe, 0000002A.00000000.2176427199.00000202FA664000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2181539761.00000202FAF43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3836750005.00000202FAF43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/pwaimages
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC8A440 memcpy,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,NtOpenFile,memset,memset,OutputDebugStringW,OutputDebugStringW,NtCreateSection,memset,memset,OutputDebugStringW,OutputDebugStringW,GetCurrentProcess,NtMapViewOfSection,NtClose,0_2_00007FF66AC8A440
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC9E90 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,3_2_00000222EDEC9E90
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83559E90 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,3_2_00007FFB83559E90
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC821C00_2_00007FF66AC821C0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC82DB00_2_00007FF66AC82DB0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC813500_2_00007FF66AC81350
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC873400_2_00007FF66AC87340
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC84D100_2_00007FF66AC84D10
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC852D00_2_00007FF66AC852D0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADD82D00_2_00007FF66ADD82D0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC8A4400_2_00007FF66AC8A440
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC930700_2_00007FF66AC93070
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB32100_2_00007FF66ADB3210
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB1C100_2_00007FF66ADB1C10
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB27E00_2_00007FF66ADB27E0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADC99D00_2_00007FF66ADC99D0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB0FA00_2_00007FF66ADB0FA0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB2F800_2_00007FF66ADB2F80
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB35600_2_00007FF66ADB3560
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADDE7700_2_00007FF66ADDE770
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB2D400_2_00007FF66ADB2D40
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB19500_2_00007FF66ADB1950
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB23200_2_00007FF66ADB2320
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66AC949100_2_00007FF66AC94910
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB01100_2_00007FF66ADB0110
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB1F100_2_00007FF66ADB1F10
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADD3D100_2_00007FF66ADD3D10
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADCF2E00_2_00007FF66ADCF2E0
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB0A600_2_00007FF66ADB0A60
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB2A700_2_00007FF66ADB2A70
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADC0C700_2_00007FF66ADC0C70
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADB16400_2_00007FF66ADB1640
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBF7E03_2_00000222EDEBF7E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBD9E03_2_00000222EDEBD9E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA2DE03_2_00000222EDEA2DE0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA69E03_2_00000222EDEA69E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB43C03_2_00000222EDEB43C0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA73703_2_00000222EDEA7370
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDECAD803_2_00000222EDECAD80
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEDA5803_2_00000222EDEDA580
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA13503_2_00000222EDEA1350
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB5D503_2_00000222EDEB5D50
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBE3303_2_00000222EDEBE330
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC03403_2_00000222EDEC0340
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA4D403_2_00000222EDEA4D40
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBEF103_2_00000222EDEBEF10
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEDBB103_2_00000222EDEDBB10
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB83103_2_00000222EDEB8310
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEDA1203_2_00000222EDEDA120
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDED49003_2_00000222EDED4900
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA53003_2_00000222EDEA5300
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB5AD03_2_00000222EDEB5AD0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBF4E03_2_00000222EDEBF4E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC0AE03_2_00000222EDEC0AE0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDED6EE03_2_00000222EDED6EE0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEAA4E03_2_00000222EDEAA4E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA7CE03_2_00000222EDEA7CE0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC00B03_2_00000222EDEC00B0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC9E903_2_00000222EDEC9E90
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBE8703_2_00000222EDEBE870
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC08503_2_00000222EDEC0850
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC0E303_2_00000222EDEC0E30
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB38303_2_00000222EDEB3830
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC06103_2_00000222EDEC0610
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBF2203_2_00000222EDEBF220
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEB56203_2_00000222EDEB5620
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEBFBF03_2_00000222EDEBFBF0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDED43F03_2_00000222EDED43F0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEA21F03_2_00000222EDEA21F0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDED38003_2_00000222EDED3800
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835321F03_2_00007FFB835321F0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835438303_2_00007FFB83543830
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835313503_2_00007FFB83531350
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354F7E03_2_00007FFB8354F7E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354D9E03_2_00007FFB8354D9E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835643F03_2_00007FFB835643F0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354FBF03_2_00007FFB8354FBF0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83559E903_2_00007FFB83559E90
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354E8703_2_00007FFB8354E870
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835508503_2_00007FFB83550850
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354F2203_2_00007FFB8354F220
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83550E303_2_00007FFB83550E30
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835649003_2_00007FFB83564900
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835483103_2_00007FFB83548310
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354EF103_2_00007FFB8354EF10
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8356BB103_2_00007FFB8356BB10
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83566EE03_2_00007FFB83566EE0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8354F4E03_2_00007FFB8354F4E0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB835500B03_2_00007FFB835500B0
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8355AD803_2_00007FFB8355AD80
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB8356A5803_2_00007FFB8356A580
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83568D603_2_00007FFB83568D60
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83545D503_2_00007FFB83545D50
Source: C:\Users\user\Desktop\dropper.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Users\user\Desktop\dropper.exeProcess token adjusted: SecurityJump to behavior
Source: System.evtx.23.drBinary string: \Device\HarddiskVolume4\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeD
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exed
Source: System.evtx.23.drBinary string: C:\Device\HarddiskVolume4K
Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: \Device\NetbiosSmb
Source: System.evtx.23.drBinary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1m
Source: Microsoft-Windows-SMBServer%4Operational.evtx.23.drBinary string: computer WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: System.evtx.23.drBinary string: \Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.23.drBinary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1an
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\System32\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.23.drBinary string: C:\Device\HarddiskVolume4
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.drBinary string: J\Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.23.drBinary string: \\?\Volume{cb7fdaf7-d8ae-4a24-98ab-ca007942ac33}\Device\HarddiskVolume1iceV
Source: Security.evtx.23.drBinary string: \Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Security.evtx.23.drBinary string: \Device\HarddiskVolume4\Windows\System32\drivers\filetrace.syscom
Source: System.evtx.23.drBinary string: .\Device\HarddiskVolume2\EFI\Microsoft\Boot\BCD~
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeo
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.23.drBinary string: 1\Device\HarddiskVolume4\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exeT_AH**
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.23.drBinary string: >\Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.23.drBinary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: classification engineClassification label: mal66.evad.winEXE@5/59@0/1
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDEC9E90 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetModuleHandleW,FormatMessageW,GetLastError,3_2_00000222EDEC9E90
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8928:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:304:WilStaging_02
Source: C:\Users\user\Desktop\dropper.exeFile created: C:\Windows\Temp\tempdll.dllJump to behavior
Source: dropper.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dropper.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: dropper.exeVirustotal: Detection: 9%
Source: unknownProcess created: C:\Users\user\Desktop\dropper.exe "C:\Users\user\Desktop\dropper.exe"
Source: C:\Users\user\Desktop\dropper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dropper.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\dropper.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\dropper.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\dropper.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\cmd.exeAutomated click: OK
Source: C:\Windows\System32\cmd.exeAutomated click: OK
Source: C:\Windows\System32\cmd.exeAutomated click: OK
Source: C:\Windows\System32\cmd.exeAutomated click: OK
Source: C:\Windows\System32\cmd.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: dropper.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: dropper.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: dropper.exeStatic file information: File size 3264512 > 1048576
Source: dropper.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15e800
Source: dropper.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1b0c00
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dropper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dropper.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dropper.pdb source: dropper.exe
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE700.tmp.pdb source: svchost.exe, 00000016.00000000.2109389392.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3757179787.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000016.00000000.2109389392.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dll.pdb source: dropper.exe, 00000000.00000003.1853076006.0000023B96E0A000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1855345368.0000023B96E5C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2090608315.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2039909697.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2083552605.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000003.2026068684.00000222EBD42000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2031358798.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2042760213.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2098812389.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2048330988.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3750948221.00000222EBD2F000.00000004.00000001.00020000.00000000.sdmp, winlogon.exe, 00000007.00000002.3813628605.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, lsass.exe, 00000008.00000002.3826461826.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000009.00000002.3844163668.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000D.00000002.3814968286.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000F.00000002.3807083613.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000011.00000002.3808815257.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHDCPSvc.exe, 00000013.00000002.3794291780.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000015.00000002.3836063413.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000016.00000002.3818227599.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000018.00000002.3805863289.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, igfxCUIService.exe, 00000019.00000002.3798790573.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001A.00000002.3817876240.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHeciSvc.exe, 0000001B.00000002.3794326000.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001F.00000002.3792743055.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000020.00000002.3799581425.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002A.00000002.3842050385.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002B.00000002.3813219112.00007FFB8356D000.00000002.00000001.01
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\winload_prod.pdb @ source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error\ source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062.pdb source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\download.error source: svchost.exe, 00000016.00000000.2109321609.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3755350161.000001A00AA48000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: JPDBwinload_prod.pdb source: svchost.exe, 00000016.00000002.3757179787.000001A00AA56000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\ntkrnlmp.pdb source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: dll.pdb' source: dropper.exe, 00000000.00000003.1853076006.0000023B96E0A000.00000004.00000020.00020000.00000000.sdmp, dropper.exe, 00000000.00000002.1855345368.0000023B96E5C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2090608315.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2039909697.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2083552605.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000003.2026068684.00000222EBD42000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2031358798.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2042760213.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2098812389.00000222EBD43000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000003.2048330988.00000222EBD44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, cmd.exe, 00000003.00000002.3750948221.00000222EBD2F000.00000004.00000001.00020000.00000000.sdmp, winlogon.exe, 00000007.00000002.3813628605.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, lsass.exe, 00000008.00000002.3826461826.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000009.00000002.3844163668.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000D.00000002.3814968286.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000000F.00000002.3807083613.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000011.00000002.3808815257.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHDCPSvc.exe, 00000013.00000002.3794291780.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000015.00000002.3836063413.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000016.00000002.3818227599.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000018.00000002.3805863289.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, igfxCUIService.exe, 00000019.00000002.3798790573.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001A.00000002.3817876240.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, IntelCpHeciSvc.exe, 0000001B.00000002.3794326000.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000001F.00000002.3792743055.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000020.00000002.3799581425.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002A.00000002.3842050385.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 0000002B.00000002.3813219112.00007FFB8356D000.00000002.00000001.0
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000016.00000002.3758073757.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109423592.000001A00AA6B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\download.error source: svchost.exe, 00000016.00000002.3754385146.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2109271639.000001A00AA2A000.00000004.00000001.00020000.00000000.sdmp
Source: dropper.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dropper.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dropper.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dropper.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dropper.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\dropper.exeFile created: C:\Windows\Temp\tempdll.dllJump to dropped file
Source: C:\Users\user\Desktop\dropper.exeFile created: C:\Windows\Temp\tempdll.dllJump to dropped file

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\dropper.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HADESJump to behavior
Source: C:\Users\user\Desktop\dropper.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HADESJump to behavior
Source: C:\Users\user\Desktop\dropper.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HADESJump to behavior

Malware Analysis System Evasion

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\dropper.exeSection loaded: OutputDebugStringW count: 1273
Source: C:\Windows\System32\cmd.exeSection loaded: OutputDebugStringW count: 1973
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9063Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeDropped PE file which has not been started: C:\Windows\Temp\tempdll.dllJump to dropped file
Source: C:\Windows\System32\cmd.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe TID: 2468Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: lsass.exe, 00000008.00000000.2027075524.000001A6E84BA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
Source: svchost.exe, 00000017.00000000.2113503824.0000027B8DE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3760479081.0000027B8DE40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000008.00000000.2027075524.000001A6E84BA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000009.00000000.2033863194.0000022294C8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
Source: svchost.exe, 0000000C.00000000.2045905994.000001FB1D22A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3758067364.000001FB1D22A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM#
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: svchost.exe, 0000000C.00000000.2045905994.000001FB1D22A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3758067364.000001FB1D22A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3757148134.0000020AD2A51000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3757148134.0000020AD2A64000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.3756168307.0000020AD2A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2149396381.0000020AD2A51000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2149396381.0000020AD2A64000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2149350220.0000020AD2A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.2159233022.00000257A0C24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000002.2533044783.00000257A0C24000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000020.00000000.2144362521.00000205A9E00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000008.00000000.2027075524.000001A6E84BA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000017.00000003.2240661704.0000027B8E72D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3816855479.0000027B8EE1C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2114092580.0000027B8E712000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.drBinary or memory string: <device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWv4EhZeklkudV4do2reS2S8YMt2s6fRatXns/kalSlnhTkHvwK0ajtjvdEmWm1UWMNr0d+F5yEPskEDiXLLXZgkak6lFrN0zrTJHMymUhj2PetlNGRoLjUcVqEmuwXOGFaqB0cgnu1pWBJYTs3JHw3yzD22ToGGvHN/WG7Qy4FVUnVbdLnploZDSUPcO2omDt3JCwyVxuHCKtrQ6VC5pTUYSAvqqAPoElHhMngDUaLk3DliItwaMNI71Gz99eSXQMqsLLonZf558+uPchN6FB/044H3vNDKadMZo7gX7pLdAW1oJu3xKb6smAKzYNTqSMMgVqpRolGAMAIXLxXX+NQQZgAAED7/GNYLnTHVLiHSLOZGUyuAAX+LcRzLUSGg20qv2lkA3RxkPAjuPEMQx8cdDvQ9pvxLb8hZHt6padF8SahGGXiFdEJDxhKdr5VgM7S4MixZ4Mwfwk1n0aGE61GkZx1SUTv1UkkSnfpdsP7Knk6TAhdtuERWjC6oidImPIjPovoaPCMGte72UQ8wdnnDPAA+tNsfAMIrljq7pQXGli2dl1iWz4IGPvzk3coBw2rBnUKwvnNsP9xcBEQhTyiFM15poV5pmJOTi4tQvgYrgAs7XFGOTLuv4qzofStkjcdA2o3KGY+upwU+CrOXdx1tTVJYZN5QRnEU0VfWASpEngo/IlLbHuuGk+6R+zjqDfDjMrdRp+um8j1mxlHweCBL4NTi3lP2D07oQr9hAb3sCblnKYshQGZhujW48QSLFHc36ykoKRGuk1QjHVjN6tLIZay1uQj8lI8DZrmm6muumcsPMwfcRAnaJJ3a1UNanYTXvESm3VX+bdJSBHvm+5nnH9dN0I+vVpc+ukzG/Q4N9N+ygMadvLkB</compact-ticket><id>001840118039654A</id></device>s(
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
Source: lsass.exe, 00000008.00000000.2026806067.000001A6E8413000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3769933244.000001A6E8413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3758410020.0000023118413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.2049966693.0000023118413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.2089138715.000002A44E42B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.3755048654.000002A44E42B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2091618631.000002AEA102E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3755179541.000002AEA102E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.2102748453.000002B6E1C6F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3778096301.000002B6E1C5B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2113503824.0000027B8DE40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000000.2033863194.0000022294C8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: svchost.exe, 00000009.00000002.3801518006.0000022294436000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
Source: svchost.exe, 00000017.00000003.2240661704.0000027B8E72D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3816855479.0000027B8EE1C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2114092580.0000027B8E712000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-PushNotification-Platform%4Operational.evtx.23.drBinary or memory string: <device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWv4EhZeklkudV4do2reS2S8YMt2s6fRatXns/kalSlnhTkHvwK0ajtjvdEmWm1UWMNr0d+F5yEPskEDiXLLXZgkak6lFrN0zrTJHMymUhj2PetlNGRoLjUcVqEmuwXOGFaqB0cgnu1pWBJYTs3JHw3yzD22ToGGvHN/WG7Qy4FVUnVbdLnploZDSUPcO2omDt3JCwyVxuHCKtrQ6VC5pTUYSAvqqAPoElHhMngDUaLk3DliItwaMNI71Gz99eSXQMqsLLonZf558+uPchN6FB/044H3vNDKadMZo7gX7pLdAW1oJu3xKb6smAKzYNTqSMMgVqpRolGAMAIXLxXX+NQQZgAAED7/GNYLnTHVLiHSLOZGUyuAAX+LcRzLUSGg20qv2lkA3RxkPAjuPEMQx8cdDvQ9pvxLb8hZHt6padF8SahGGXiFdEJDxhKdr5VgM7S4MixZ4Mwfwk1n0aGE61GkZx1SUTv1UkkSnfpdsP7Knk6TAhdtuERWjC6oidImPIjPovoaPCMGte72UQ8wdnnDPAA+tNsfAMIrljq7pQXGli2dl1iWz4IGPvzk3coBw2rBnUKwvnNsP9xcBEQhTyiFM15poV5pmJOTi4tQvgYrgAs7XFGOTLuv4qzofStkjcdA2o3KGY+upwU+CrOXdx1tTVJYZN5QRnEU0VfWASpEngo/IlLbHuuGk+6R+zjqDfDjMrdRp+um8j1mxlHweCBL4NTi3lP2D07oQr9hAb3sCblnKYshQGZhujW48QSLFHc36ykoKRGuk1QjHVjN6tLIZay1uQj8lI8DZrmm6muumcsPMwfcRAnaJJ3a1UNanYTXvESm3VX+bdJSBHvm+5nnH9dN0I+vVpc+ukzG/Q4N9N+ygMadvLkB</compact-ticket><id>001840118039654A</id></device>
Source: C:\Windows\System32\cmd.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADD7D54 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF66ADD7D54
Source: C:\Users\user\Desktop\dropper.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmd.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADD7D54 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF66ADD7D54
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00000222EDED9BBC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000222EDED9BBC
Source: C:\Windows\System32\cmd.exeCode function: 3_2_00007FFB83569BBC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFB83569BBC
Source: C:\Users\user\Desktop\dropper.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\dropper.exeMemory allocated: C:\Windows\System32\cmd.exe base: 222EBAD0000 protect: page read and writeJump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\dropper.exeThread created: C:\Windows\System32\cmd.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\winlogon.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\winlogon.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\winlogon.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\winlogon.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\lsass.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\fontdrvhost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\dwm.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: C:\Windows\System32\svchost.exe EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Source: C:\Windows\System32\cmd.exeThread created: unknown EIP: 956804F0Jump to behavior
Disables Windows Defender (deletes autostart)
Source: C:\Windows\System32\cmd.exeRegistry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpywareJump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\dropper.exeNtAllocateVirtualMemory: Direct from: 0x7FF66AC96A2FJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtProtectVirtualMemory: Direct from: 0x7FFB97262651Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtWriteFile: Direct from: 0x7FF66ADBF617Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtQueryInformationProcess: Direct from: 0x7FF66AC8F67FJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtCreateThreadEx: Direct from: 0x7FF66AC8D30AJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtCreateFile: Direct from: 0x7FF66ADBF485Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtClose: Direct from: 0x7FF66AC8BF83
Source: C:\Users\user\Desktop\dropper.exeNtProtectVirtualMemory: Direct from: 0x7FF66AC8DBFBJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtClose: Direct from: 0x7FF66ADB9691
Source: C:\Users\user\Desktop\dropper.exeNtUnmapViewOfSection: Direct from: 0x7FF66AC8F7E5Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtAllocateVirtualMemory: Direct from: 0x7FF66AC8F694Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtUnmapViewOfSection: Direct from: 0x7FF66AC89D14Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtSetInformationThread: Direct from: 0x7FF66ADD7937Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtClose: Direct from: 0x7FF66AC89E04
Source: C:\Users\user\Desktop\dropper.exeNtMapViewOfSection: Direct from: 0x7FF66AC8FAF4Jump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtSetValueKey: Indirect: 0x7FF66AC93B0CJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtWriteVirtualMemory: Direct from: 0x7FF66AC8D0BAJump to behavior
Source: C:\Users\user\Desktop\dropper.exeNtAllocateVirtualMemory: Direct from: 0x7FF66AC8D076Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 2820000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 2980000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 2990000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 29E0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 2AA0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 9600000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A1B0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A1C0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A1D0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A1E0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A1F0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A200000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A250000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A260000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A370000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A380000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A8B0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: A8C0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AC90000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: 29A0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: ACA0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: ACB0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: ACC0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AD50000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AD60000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AD70000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AD80000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AF80000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AF90000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AFA0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AFB0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AFC0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AFD0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: AFE0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B200000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B210000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B520000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B680000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B690000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B6A0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B6B0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: B6C0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: BAF0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: BB00000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: BFB0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: CDE0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: DB00000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: DED0000 value: 43Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: PID: 1588 base: DEE0000 value: 43Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\dropper.exeMemory written: C:\Windows\System32\cmd.exe base: 222EBAD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\winlogon.exe base: 20487FC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\winlogon.exe base: 20488040000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\winlogon.exe base: 20488050000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\winlogon.exe base: 20488450000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6E8BA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA850000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA870000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA880000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA890000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA8F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\lsass.exe base: 1A6EA900000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22295800000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296AF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B00000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B10000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B20000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B30000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B40000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B50000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296B90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22296BF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1ABE6030000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1ABE6040000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1ABE6050000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1ABE7330000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1ABE7340000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E87A220000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E87A230000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E87A240000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E87A250000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 1E87A260000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1D1E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DAF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DB00000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB1DB10000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 231183A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 231183D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 231183E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 231183F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2311A340000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F570000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F520000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F5F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F600000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F610000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F680000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\dwm.exe base: 2812F670000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22F13560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22F147F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22F14800000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22F14810000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22F14820000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2A44E3D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2A44E3E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2A44E3F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2A44EBA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEA1D70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEA3000000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEA3010000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F03B930000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F03B940000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F03B950000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F03B960000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1E79C910000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1E79C970000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1E79C980000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 1E79C990000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C3CB5B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C3CB5C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C3CB5D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C3CB5E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C3CB5F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E29D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E29E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2CB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2CC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2CD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2CE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2CF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D00000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D10000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D20000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D30000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D40000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D50000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B6E2D70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1A00B9B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1A00B9D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1A00CC50000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1A00CC60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8DDF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E5E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E5F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E870000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E880000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E890000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E8F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E900000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27B8E910000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5D3DA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C5D3DC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 1EA06560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 1EA06590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 1EA07800000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DBF260000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DBF280000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0500000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0510000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0520000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0530000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0540000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0550000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 19DC0560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1D32B9F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1D32C300000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1D32D580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 1D32D590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDAEBF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDAF4A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDAF4B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDAF4C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA110000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA120000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA130000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA140000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA150000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3CA160000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A706C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A706D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A706E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 26E697B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 26E697D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 26E697F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 26E69FA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205AA720000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205AA730000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205AA760000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 189103C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 189103D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 189103E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 189103F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 18911940000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 18911950000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 18911960000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20AD29D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20AD29E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20AD29F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20AD31A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488120000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488130000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488140000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488150000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488160000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488170000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 15488180000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20E2E490000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20E2E4A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 257A13C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 257A13D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 257A13E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D76B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D76C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D76D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D76E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D76F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D7700000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D7710000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D7720000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D7730000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2D7740000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A990000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8A9F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1AE8B040000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 23FEB2C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 23FEB2D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 23FEB2E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 23FEB2F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2D7F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2DFF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 22A2E680000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA420000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA5B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA5C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA5D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA5E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FA5F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FC260000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 202FC270000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C0B2FA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C0B2FD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C0B2FE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2C0B2FF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03B60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03B70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03B80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03B90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B03BF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04140000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04150000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04160000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04170000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04180000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21B04190000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 840000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 890000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 15A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 15B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 18C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\spoolsv.exe base: 32B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B87B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B87C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B87D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B87E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B87F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9B8FA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559130000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559160000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559170000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559180000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559190000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 205591F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559500000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559510000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559520000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559530000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559540000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 20559550000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21F146C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21F147F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21F15FA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21F15FB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 21F15FC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1479E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B148280000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B148290000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF570000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 238DF5F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 16A883F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 16A89BC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 16A89BD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 16A89BE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 16A89BF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF59E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF59F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF7F80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF7FE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8220000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8230000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8240000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8250000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8260000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 13DF8270000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1AC560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1AC580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1AC590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1AC5A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1AC5B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEF60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEF90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEFA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEFB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEFC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 239FEFD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206759E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20676C70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678050000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678060000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678070000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678080000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678090000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 206780F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678100000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678110000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678120000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 20678130000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E290000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E2C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E2D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E2E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E2F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B17E300000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC680000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC6B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC6C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC6D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC6E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC6F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC700000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC710000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC720000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC730000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC740000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 27FFC750000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 17922490000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 17922770000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 17922780000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E265FF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2667F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5200000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5F10000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5F30000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5F70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5F80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5F90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5FA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAC5FB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC71C40000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC71CB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC71CC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC71CD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC71CE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74720000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74730000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74740000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74750000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74760000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74770000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\sihost.exe base: 2CC74780000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B350BA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352BB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352BC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352BD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352BE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352BF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F40000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F50000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 2B352F90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: FD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: FE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: FF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1000000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1010000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1020000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31CF40000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31CF90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31CFA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31CFB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31D3F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31D800000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31D810000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1B31D820000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AAEE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AC170000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AC180000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AC190000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AC1A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6AC1B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B520000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B550000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B560000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B570000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B580000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 1D39B590000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDE90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDEA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDEB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDEC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDED0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\svchost.exe base: 24ACDEE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 168306C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 168306D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 168306E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 168306F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830700000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830710000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830720000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830730000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830740000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830750000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830760000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\ctfmon.exe base: 16830770000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 2820000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 2980000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 2990000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 29E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 2AA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 9600000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A1B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A1C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A1D0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A1E0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A1F0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A200000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A250000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A260000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A370000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A380000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A8B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: A8C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AC90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: 29A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: ACA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: ACB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: ACC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AD50000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AD60000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AD70000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AD80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AF80000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AF90000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AFA0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AFB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AFC0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AFD0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: AFE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B200000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B210000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B520000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B680000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B690000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B6A0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B6B0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: B6C0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: BAF0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: BB00000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: BFB0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: CDE0000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\explorer.exe base: DB00000Jump to behavior
Source: winlogon.exe, 00000007.00000002.3787269745.0000020488930000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2024818429.0000020488930000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2053714570.00000281272F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
Source: winlogon.exe, 00000007.00000002.3787269745.0000020488930000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2024818429.0000020488930000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2053714570.00000281272F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000007.00000002.3787269745.0000020488930000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2024818429.0000020488930000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2053714570.00000281272F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 00000007.00000002.3787269745.0000020488930000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2024818429.0000020488930000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2053714570.00000281272F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Windows\Temp\tempdll.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dropper.exeCode function: 0_2_00007FF66ADD7C2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF66ADD7C2C

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\cmd.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverrideJump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiVirus 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngineRegistry value created: MpEnablePus 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ReportingRegistry value created: DisableEnhancedNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNetRegistry value created: DisableBlockAtFirstSeen 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNetRegistry value created: SpynetReporting 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNetRegistry value created: SubmitSamplesConsent 1Jump to behavior
Source: Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.23.drBinary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Registry Run Keys / Startup Folder		42
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
LSASS Driver		1
Abuse Elevation Control Mechanism		13
Virtualization/Sandbox Evasion		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		31
Disable or Modify Tools		Security Account Manager13
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
LSASS Driver		42
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Bypass User Account Control		1
DLL Side-Loading		Cached Domain Credentials1
Remote System Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Bypass User Account Control		DCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dropper.exe10%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://excel.office.comSRD1%0%Avira URL Cloudsafe
https://word.office.com.comD0%Avira URL Cloudsafe
https://word.office.com.com0%Avira URL Cloudsafe
https://outlook.comcom0%Avira URL Cloudsafe
https://powerpoint.office.comSRD130%Avira URL Cloudsafe
https://word.office.comSRD1#0%Avira URL Cloudsafe
https://outlook.comSRD1-0%Avira URL Cloudsafe
http://ns.adobe.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://word.office.comsvchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpfalse
    		high
    http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
      		high
      https://windows.msn.com/shellsvchost.exe, 00000009.00000002.3817114875.0000022294CDF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2034030978.0000022294CDF000.00000004.00000001.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
          		high
          https://outlook.comcomsvchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.rs/getrandom#nodejs-es-module-supportdropper.exe, tempdll.dll.0.drfalse
            		high
            https://wns2-ch1p.notify.windows.com/?token=AwYAAACGiTEQswVIrEjPiqVsr%2b0hVpCqP3ntPOeOGJWvj%2bkqKtGAMicrosoft-Windows-PushNotification-Platform%4Operational.evtx.23.drfalse
              		high
              https://word.office.com.comDsvchost.exe, 0000002A.00000000.2180951951.00000202FAE4B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.office.com/pwaimagessvchost.exe, 0000002A.00000000.2176427199.00000202FA664000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2181539761.00000202FAF43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3836750005.00000202FAF43000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.microsvchost.exe, 0000001A.00000002.3782618015.0000019DBEAD0000.00000002.00000001.00040000.00000000.sdmpfalse
                    		high
                    https://outlook.comsvchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000017.00000003.2234926204.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2120310368.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2238601579.0000027B90763000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-LiveId%4Operational.evtx.23.drfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://word.office.com.comsvchost.exe, 0000002A.00000003.3118401772.00000202FAE4E000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://excel.office.comSRD1%svchost.exe, 0000002A.00000002.3823608251.00000202FAB49000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2178601377.00000202FAB49000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://spclient.wg.spotify.com/v1/live-tile-xml?region=svchost.exe, 00000009.00000000.2033788197.0000022294C69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3814289035.0000022294C69000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://powerpoint.office.comSRD13svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://outlook.comSRD1-svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3778065093.00000202F9ADF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2174767466.00000202F9AD1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000003.3116254902.00000202F9ADD000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://windows.msn.cn/shellRESPsvchost.exe, 00000009.00000002.3817114875.0000022294CDF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2034030978.0000022294CDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.quovadis.bm0lsass.exe, 00000008.00000000.2027568351.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://wns2-ch1p.notify.windows.com/?token=AwYAAACX46x%2fpyfGe%2fo5ZavSq9O1DXvytZj%2fkbnyhdan1Sj5EGMicrosoft-Windows-PushNotification-Platform%4Operational.evtx.23.drfalse
                                        		high
                                        https://word.office.comSRD1#svchost.exe, 0000002A.00000003.3116055886.00000202FA37B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3801479612.00000202FA37D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3831107503.00000202FADC6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2175623952.00000202FA343000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.3808811185.00000202FA643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002A.00000000.2176321257.00000202FA652000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000008.00000000.2026894037.000001A6E8450000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3772267818.000001A6E8450000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/wsdl/rameterslsass.exe, 00000008.00000002.3771024385.000001A6E842F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2026847426.000001A6E842F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://ns.adobe.dropper.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ocsp.quovadisoffshore.com0lsass.exe, 00000008.00000000.2027568351.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3792739585.000001A6E8CA4000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.3842779016.00000281293A7000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2054905666.00000281293A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                1.1.1.1
                                                		unknownAustralia
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1586409
                                                Start date and time:2025-01-09 03:05:26 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 12m 9s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                Run name:Run with higher sleep bypass
                                                Number of analysed new started processes analysed:7
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:37
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:dropper.exe
                                                Detection:MAL
                                                Classification:mal66.evad.winEXE@5/59@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                Warnings

                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                1.1.1.16fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1/ctrl/playback.php
                                                PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1/
                                                INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                                                • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                                Go.exeGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1/

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUShttps://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252F8fi5.veracidep.ru%2525252F9rQQ7pYZ%2525252F%25252FGnrm%25252FJIy6AQ%25252FAQ%25252Fc8a642e1-b752-489d-a606-2e0c28c9f43c%25252F1%25252Fp3ItI-koyL%252FGnrm%252FJYy6AQ%252FAQ%252F96a81154-bc5a-4dec-811a-9ad4ee762256%252F1%252FydnKIiaQi0%2FGnrm%2FJoy6AQ%2FAQ%2F9c58c880-73af-4c48-9b37-4983856d006d%2F1%2FdSmT7Kur-Y/Gnrm/J4y6AQ/AQ/dd03067b-b850-464f-b99d-a4582f20c822/1/nPxHYVfVwy#bWF5cmFAYnVpbGRpbmdiYWNrdG9nZXRoZXIub3JnGet hashmaliciousHTMLPhisherBrowse
                                                • 188.114.96.3
                                                I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                                • 162.159.137.232
                                                https://redduppgh.com/Get hashmaliciousUnknownBrowse
                                                • 104.17.24.14
                                                https://irpf2025.imbrava.com.br/Get hashmaliciousHTMLPhisherBrowse
                                                • 104.19.229.21
                                                https://keycaptoys.com/Get hashmaliciousUnknownBrowse
                                                • 23.227.38.70
                                                https://www.google.at/url?sa==ChR6Fb4oMA7qoNPeAF0HryTWGOi&rct=mCcPfNgQLHn7TqSCLwLAghdNeRqdmhaOmrXNGpkofpekJnfvmVMTgxKB7tJBUVJOPR&sa=t&url=amp/joister.net/tt/ttt/NnDmPaDN5vfTnmu2pfF1Y4Kbkrm/aW5mb0BhY2FnbG9iYWwuY29tGet hashmaliciousUnknownBrowse
                                                • 104.18.95.41
                                                http://www.padlockskeyed-shop.com/Get hashmaliciousUnknownBrowse
                                                • 172.67.147.75
                                                http://synthex.cheating.store/Get hashmaliciousUnknownBrowse
                                                • 104.16.79.73
                                                http://thehalobun.com/Get hashmaliciousHTMLPhisherBrowse
                                                • 172.66.43.98
                                                https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWXGet hashmaliciousUnknownBrowse
                                                • 104.22.78.115

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.318032191374107
                                                Encrypted:false
                                                SSDEEP:192:H8V7IF0RuqHQOnbgpib8AtYl+HDJ86PL+2SSD2Czp0gy16ZcC0/oUhQXzgwPtFqk:chkyHQOLt5jR7zpkYQ9SM/TG6OtiY
                                                MD5:EFA13948ED9ECAF8F7CFF2308264151D
                                                SHA1:711B2AE985C60325A4B409986027A26898AF2F62
                                                SHA-256:3C15AED99AE7D0BE14AC550F0E9E46127D07EE7314897DF7AD26CDBAA36C499A
                                                SHA-512:1973C2ECDA6E6B4D732ACEECF2B750AD3F727B0E94FBD3869903818E9FCB23D60A3A6B161ED4E57A48817FB04B6C0D53CB5602C7AF497C60227EC06AE5F138DF
                                                Malicious:false
                                                Preview:ElfChnk.u...............u............................RE......................................................................V.-................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................9...........................).......................**......u.........K.i........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.4710014455358678
                                                Encrypted:false
                                                SSDEEP:384:whBNimLN3UN3pNINcN3uN36ZN3fcN3dN3xzN3lN3RN3sN3YN3zN3TN3JN3xN3kNi:wAaC30SyTx57f6u5Z3/y2FpwsJJ
                                                MD5:54E17E1105233016224459A9929D930B
                                                SHA1:F644FB4779839849143754497E3C3CDF266DCF63
                                                SHA-256:24CA1C50D54796673DAEF72F66E62B7DDFABA9100F1489CA103A77E0C29DC5E9
                                                SHA-512:224DE5966939B836F3A9895C1086856A9308EF640BC890E331B2628BD84D45C8C1C540C55B1A300EA81C85E894FD2AD8EEB8931504D3196A03964D779FE197A6
                                                Malicious:false
                                                Preview:ElfChnk._.......y......._.......y............G..xI..........................................................................dP{.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......_..........f,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):66960
                                                Entropy (8bit):4.313893034451686
                                                Encrypted:false
                                                SSDEEP:384:wVWVRhKVQV7VdVdEV/jVAVjVKV+VsV6VxVpV5mVmVoVJVsVuVSVRVLViVfV3VFVP:DfMtRq6
                                                MD5:86911A38B96AFB74BCB6023270ED93E3
                                                SHA1:AB75062C05234CFF363799B3775FE3F9B25A32C8
                                                SHA-256:A2C99BB125ABAAE2308BA7E73E07A56DBBE63912D91AF4225CC9BAB6AC6F9A55
                                                SHA-512:543747148873A8B6920F96260E9F2E8A2DB2C82300389F8212BA7B8DC9CE1EE679CA6D7AF0D5F54B7A6AC3BADF23FD03FEACBFA14859423B0C6B5CD928F9980E
                                                Malicious:false
                                                Preview:ElfChnk.|(.......(......|(.......(..........hj..0l..&.........................................................................75................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&............................................&...............................#......**.......(.........C;b......../X.P&...............................................................@.......X...a.!.....E..........@...C;b...H...b..]J...b..8........(...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y............**.......(.........C;b......../X

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.393240454738631
                                                Encrypted:false
                                                SSDEEP:1536:JO1fni2TDyiWAZfBzB6BbB2e76BY723KDi/OyazwNJCmikDw:MfjDyqA
                                                MD5:F6247DCC219D77EC7D51B8155BD46CCD
                                                SHA1:32DAE3BD0552D85680FF270C06DF8203A01B8877
                                                SHA-256:B982F9C57E1B43E29BFBDA89912BF800FD9963E70CF7479816BE049860973CE1
                                                SHA-512:DAD9F2CC1ED55324C7D09AFF1C6D19565E810BF88E1557A6FC6300730BC21AE04DB1FF279F4492CB9288824E509D6C9F82E89D2E069ACBA8F7214F6318B33C4D
                                                Malicious:false
                                                Preview:ElfChnk..'.......'.......'.......(...................8......................................................................<^................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................3W..#>.......................N..&........................................8...;.......@......;5...........`..........**.......'........~........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.339308262162924
                                                Encrypted:false
                                                SSDEEP:384:L1hm+iMNEi1itiXiYiAiQiCiYiXiviCiriMiKiYili+iciSiVciji/DiQisiKi7E:L18
                                                MD5:A2EB43F391629DE9C10F61528EFEB6C2
                                                SHA1:A4D8BF522748880873E867384B7A14877CD70FC6
                                                SHA-256:7458FC48D60578A84E2486E607162FF0DB54D163A507C030486BFB4B5159635F
                                                SHA-512:3424D2D8933C034BE31CE3682CCE357367837DE21B46830AC8EB697A7EC254543A3558A10193AF95F9041FCDA1629A465BDDA0489C4F067A5948A97E94008EFC
                                                Malicious:false
                                                Preview:ElfChnk.........3...............3........... z..h|...MM.......................................................................6.............................................=...........................................................................................................................f...............?...................................b...........M...F...........................................................&.......................................................................................**..X..............w............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.451106238128776
                                                Encrypted:false
                                                SSDEEP:384:9hI3c6dh3O3Km30v3635B33H353X3g3J3N33Lv3j3j3A3730j3ue3H3T39z3IM34:9kqL+Tl5qhdWFgwc4MElvawvML0g
                                                MD5:D7F0C0D789E5CEA65ED5F813DC30922F
                                                SHA1:F66D7C36715EF5A15F56FB062E14C9DA7CBF661C
                                                SHA-256:719B631A465EBCD86EAFEF92D01D47B4A139D3870AFE5988AFDD1D0FE8C5D113
                                                SHA-512:E9C721DEA05762A532B877F9AC779E39CF0C7EEAEE71D40D6EA7A5D88556E027F91B25774D1EF80E713EB07D81FF8902AAB467565D9B66A83990E8E1C28BD816
                                                Malicious:false
                                                Preview:ElfChnk.........^...............^...........`........j......................................................................3..=............................................=...............u...........................................................................................................H...............?...............................................M...F...........................................&................9......................................................................j...............**.................*T.........B...&.......B...._.X.$.]...+........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.225713474461223
                                                Encrypted:false
                                                SSDEEP:768:zPcpk0+dc1RzsZrczv9ezTjlRLD1xzzmfgO5WJ:y4PTjX
                                                MD5:44609A855C63059C1B8AAE7EA0EFE7DD
                                                SHA1:DFA922F1A0D15D7CFCB1BE0C20BE7006E53226A7
                                                SHA-256:8DA4939C632970CDC757C19F63E49518898FA73AECBC2D39046A09B2104ECC3B
                                                SHA-512:99E382C698C398B77CB3E7DE56A2D6F9CE0095A83FB323B695DF0FCEA2ECB70C2F0CE287C947A0879E0BE155EE3031735E8DB0404755296132D6A462FDC1BF3C
                                                Malicious:false
                                                Preview:ElfChnk......................................&...(..Hm.<......................................................................y.........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...............q..f........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.9540071406267567
                                                Encrypted:false
                                                SSDEEP:768:yl/LLKiILbXvvvD7rrXuXtPPrzbvjPH7b/P:5iZX
                                                MD5:12AA7D94E2E146FACCA4B6EC8952161C
                                                SHA1:0DE0BE97180096204C84522E14C36B27A46960FF
                                                SHA-256:013A06C794B64D5300013A0464A73608F29A25819B36D1A74C2CEED450A7CE50
                                                SHA-512:CA41DF58E58E0B0F70C42FF6B7CA2D1A29EE70220E5DDAC49FA4083D057CAF7EDA6AE0D8B4B821D2E2E05AED6C88255B0B129F4C4B5BC62422EDE5D74464280B
                                                Malicious:false
                                                Preview:ElfChnk.........................................p.....%E.......................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.................g,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.4529335974709596
                                                Encrypted:false
                                                SSDEEP:384:nhuoS9VoryorOoroortorVorVorNorrmo4oruorlIoreorNorworgorDorhorcoH:nsWqGO
                                                MD5:754712C8C54F43FD204B4EF49E3AE878
                                                SHA1:C74C5CE28F796A49E89A57BDABDA9C8A9B0A855E
                                                SHA-256:03282A4CAD581109351A78F3932A2CD856304F42DD982F8CAC101C57CFCB6C0B
                                                SHA-512:853F6E084611516219FABBA899EFD4EA116C492A355D91337764340052695C6F1F24BD21C57B1212EDD07F684B1754DDE78D05223EBA5518B938D76245BC83FE
                                                Malicious:false
                                                Preview:ElfChnk.........M...............M............}..............................................................................+.v.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................E{..............................**................@.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.204064062455579
                                                Encrypted:false
                                                SSDEEP:384:PhNPmP1PKPvPZl5P8P7PAPt/PU+PKP1PEPNPaPQPiPqPFDPhP6PwPXPaPZ8PWPCU:PDlvUGLpF
                                                MD5:73AB303B846FE334D3A6A972000595DE
                                                SHA1:0D517CD584649931569FA82636391EE49F7747DF
                                                SHA-256:7390D97D5C10A5DCCE3D2BDED0EE9E2E460F6E035607EBC0F2C7B5410034F143
                                                SHA-512:47267A6BE08A1919CA73CB4447B94E489C5378F0B60B47444959ED2624F8EE18D0ABC418A352DF51DE517296BE5AA446A751FEB719D7BCDD0807B62F0B25F2EB
                                                Malicious:false
                                                Preview:ElfChnk.........G...............G........... t...u..............................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...................................................................................................'.......................**..x...........B...S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.1774494095253334
                                                Encrypted:false
                                                SSDEEP:768:TDbHtuYYZAqRidVY4HdYWgML/chv4PzSw05Wt19M6vz73mA4+9AxNAVBBBxZvaVB:U27
                                                MD5:AA7ACC3C6F82C26DF3AF4DD3459A37A9
                                                SHA1:6E2B82CB213DDC5B609E2046DC36DDB6FE303CBE
                                                SHA-256:683695D3CBFB4BF2ED07BB9080CC15246E4F410D67F4C0AAEFB6CB365CD5273F
                                                SHA-512:5A31F0BB111CB87D9D20727DF5CDF99A9473D7FAC6B7C5BFDC17D020F52CDC0E5F928BEED3A11831261BFA8F9E1CFCADAD9719D8D00D3D7E30A4A099B6B8E9FE
                                                Malicious:false
                                                Preview:ElfChnk.........G...............G............q..ps.....S......................................................................1.................F...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..p...........!|..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.725480555327941
                                                Encrypted:false
                                                SSDEEP:384:ohch15hHh0hUh4hlhhhFhhNhPhLh1hthlh6hah+hFh1hVhEhUhMhFhJhKhthPFhG:oyyz
                                                MD5:1127DFED09504296ED40BEE0A73F7913
                                                SHA1:B8AD711CF55AC499B8B97E47585863C2EB5CF690
                                                SHA-256:1352F6A4786F5CAA97FE8267AB58442A353573308983660152A1A7F58BCB6948
                                                SHA-512:7AAD28115BB732C633AAD48C421738832D6310925EE32BA5DAAD20381309FFD148000FD48BDE16ADC7B8C44CF9177B56617F1FD67B7C1FA4A241732FF1BC429E
                                                Malicious:false
                                                Preview:ElfChnk.....................................h...X..._..y......................................................................oq................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................!i..........&...................................................................................**..X........................./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.7996519360112552
                                                Encrypted:false
                                                SSDEEP:384:Akh7YJVYV4YcYIjYkYVpYsqYVyYV3YVfYVRYVdY:tfvzDWeM
                                                MD5:012E76B66993B85D16975A8961B793BD
                                                SHA1:D4C589F2A0F3704619C77CA1FEA7ACAFB3085E13
                                                SHA-256:2F7F23FBCA4EDB9D4D9CBBF45EDCF07279388AE01806C14747645216E7BA78CC
                                                SHA-512:0870C0E0C73C092562D8C2CFE1FDAB48D218B1C5B8F03732E6F7AEC388586022F33F7F718F2611D5148AC99E35B4133307D277D23C9523019C22925205BE1262
                                                Malicious:false
                                                Preview:ElfChnk.z...............z...................@!.. #...K......................................................................v0B.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...z.........i._........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.6995653939286535
                                                Encrypted:false
                                                SSDEEP:384:ahDCq2cCp1Cz2TCLqCM2CZCjiCsCblCnC/iCsCe5CECOwCFCkUCXCUoCjCtorCrl:aUEJ2R
                                                MD5:0C308C7DA862DF0F62A8CAD21EE130A0
                                                SHA1:C9DE46B49E7D3ACC4626D36AF3184F33B8E12B95
                                                SHA-256:BC812D671EEDBB90C55F2D6C51943640F54549B8F78EF7613E59FB6000F1BBDD
                                                SHA-512:A0899F0C193AC94780FA55BFF60172706686FC53F32BBA94D799CC9AB97C131AA13718D70710AB9154D3EF138EDF43F6DF9C0BE21F5B4167A1F7E374995CAAEB
                                                Malicious:false
                                                Preview:ElfChnk.m...............m.............................$......................................................................`.............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**.. ...m.........*13........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.9529748021742375
                                                Encrypted:false
                                                SSDEEP:768:7ey39iM13dtfbSqyYcQGXrlhmQHZHm43/0YOb5mFP+B/OAwuM2eWE:JSE
                                                MD5:A082DAC74F7E0408993724BE8824EB08
                                                SHA1:9615F9A9FCE6C2ECF54A71FE31DA8C95C1360E41
                                                SHA-256:A319204F75354DBEC4D3F516CEE8ADA379D0C9D842D706C35080A65923BB5AE7
                                                SHA-512:BA08E03531D88AD1FA3A69A7B58FBF70631596F41988B3D6722B65190D320ED916A00F5FAD0E7F2A99931002D35B214AE27413FF57090E255CC498B565BCAD72
                                                Malicious:false
                                                Preview:ElfChnk.........F...............F......................D....................................................................".h7................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...........&............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.472195871609055
                                                Encrypted:false
                                                SSDEEP:384:Dh8kbAP1gjk+Jk+yk/3Suhfmk+Adk+AkKuIk+2hk+Dk+rk+4k+ik+8k+4k+Uk+R3:DNAP1EHDzS0OpmjmoToEEltkV48m
                                                MD5:317B8D11DC00097D0D78791AB80AE1C8
                                                SHA1:8B4223AA55BD1BDEE22327E622AF1C2C0229DFFF
                                                SHA-256:A4DC4BB4A10DCDB1639B676F7BAD5AEEB4031804320CBDBF50523F69AC2DD0B9
                                                SHA-512:063627770420B168E7699A2FB8CBF9ECB762496F416A67681F8FE6EFB8B4913E899F84724514F4113A7DD13C7756BE32058A7B1AE4A08974449518BD3F6EAB71
                                                Malicious:false
                                                Preview:ElfChnk......................................I...K..3.6......................................................................,.................b...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................~...................................U...............;...............................**..x............Ft.i...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.444844299606771
                                                Encrypted:false
                                                SSDEEP:384:ehaEdEqXAEJVvOEJSvEqEBEENEuDEaExEOEAE7EmEizEJ6ExEZEX/+EaEF5EOcE7:eVXmIBqr97fAIKCWJYkLpO
                                                MD5:17727ECB38D63681D6DCD4F22A295592
                                                SHA1:AFA6F26F992673F320EB5EE35866293217975CDA
                                                SHA-256:FFE373D03A0F4656A38205F796EA4FE2AF5D7D46AA67EBD0150B9D5699918A67
                                                SHA-512:2EDC170F1A5FC12AA0613491FA104E94C4BBD74F15031A6FA9C95F3EF7950DC9F6070687B5B3718434B622780AB442279405381EF837C4776117794693C512E7
                                                Malicious:false
                                                Preview:ElfChnk.....................................P.......8.L......................................................................=;.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F....................#...............!...9..=................O...=...........A...?.......;..ME..........}....................'..........5...........**...............2...9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.4038432925652633
                                                Encrypted:false
                                                SSDEEP:384:YhPFKlcLBKalKuDGK1GKgkKClKvQKqlKlaKu7dKrXK7CK53HKstKoIK8eKugGKIM:Yz8
                                                MD5:92855C5AC263D7ED3184C01631FD3592
                                                SHA1:868C4973FA186ADD1A46B70E3C55BB48E016EC46
                                                SHA-256:58B5F33F16B6A8769E7D7EC784B48055DFB1596A0112D5400677B89D9D8BC3BF
                                                SHA-512:C526C66B2635334339E7F2EDB2F52DC98B8AE5A0BDFA6C351321932122F42062808A6ED3DBC17B8AC1B185ADF7A942C1001BEF01424733D3DB24A2AEE373CABB
                                                Malicious:false
                                                Preview:ElfChnk.=...............=....................x..0z..>..=........................................................................................H.......................,...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...........................................................!.......................**..x...=.......m............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.1013631133139485
                                                Encrypted:false
                                                SSDEEP:384:8h+DEfbDisDTDqDPD1DPDXDuDTDGD8DMDRDcDvDhDlDEJDpDmXDyDsD6DwDKDODQ:8rqyaBHYPi
                                                MD5:47A005F71E57B5119738EA7F0084E091
                                                SHA1:BDD29869E7BA934117DAB0EA1FE0B5A7ADD5AB01
                                                SHA-256:A0C2E08A26AA84910FCA7201E7FB6676994D3C2B2DD7CF44987ADAB22275F957
                                                SHA-512:A0A728C304BA67CAD2C36C3760A68CA4319C54BE8F888FA6417EE2DAC1F383192E97A88D3F51AAF7D855997AE6FC45CC7909A462E93B807D0B9DA9D4A75E0768
                                                Malicious:false
                                                Preview:ElfChnk.........<...............<...........8........p.^....................................................................1Q..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............F_G.4........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.190326188661169
                                                Encrypted:false
                                                SSDEEP:384:thdzpzAzKzyzIzazrzRztzPzxaz9OzJznzfzXz4zdz/znzYx3z9zrzmzYzwzYzX4:tK8WxvZ
                                                MD5:DCF0AD437C79FBA00941A497B01B1810
                                                SHA1:81C6EE670E0E80D6F501E479753123900828323F
                                                SHA-256:DA41A953EE4EB385822A0BF4777417817073913250D522B02B0AF3BDF4662556
                                                SHA-512:5B6FA704A883F7708ADD00529679DEA706BE8DD39690E265A478C42C9F74D8919F4999A9BFF9C6C2C7619C01F1C026390A6CE98CD56C5C90ADFF9132ED27A789
                                                Malicious:false
                                                Preview:ElfChnk.....................................@...0...y........................................................................W.'................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..............,o.{........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.7389606055142643
                                                Encrypted:false
                                                SSDEEP:384:UhXIVcIQIiKjIvISInIxIbIwIIaICIDI7I260naIBnvILINIhIkI8IDITI0IfImZ:UQRlonfn
                                                MD5:C924DF9877EE7901BE9D6EC7AE53589F
                                                SHA1:3976D7B1B37052DF0867CBB219B8BCFBE4F990F4
                                                SHA-256:B570B40A646593A82B9801B1309334F737C83A26479FA3D6364ED6CA52A289B1
                                                SHA-512:F563DD0C606E4201F145E4F29B542458657F411E0449E19CDCD5C841E47BC135B3771F3CA86D0126E63E0432DA8C53C26DC464202B8C0C1E69DF51DF5A9A9279
                                                Malicious:false
                                                Preview:ElfChnk................................................F....................................................................6yQ.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F............................................................h......................................................................................**...9..............9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):74360
                                                Entropy (8bit):5.530906128480653
                                                Encrypted:false
                                                SSDEEP:384:xhga5Ga5q3a5ea5za52a5ja5a0a5ua5va5Ha5Aa5va5aMa5na5Ca5kzyzIz/a5sN:xJE4K
                                                MD5:10AAECAF475B4BD4C22C89C74A786DC1
                                                SHA1:DC2AE136178401737C33AFFCE64031AFF00D4E66
                                                SHA-256:F8A9AC237FE65E958137F69255D25AC862845DA2FF56EE303E7D84D10DC24EFB
                                                SHA-512:FAB688C3D98A7B0D250E1437300A1EE5ECBE7D5C65290C41FBBE4DBF94B33845A789B038FFBCE7C44A32CB822D4BBC5D7299EAB2385CD4FB9905D0F73A103A11
                                                Malicious:false
                                                Preview:ElfChnk.......................................... ..M.%....................................................................R...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&.......................!...........................................................**..............Dp'..b......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.107173359251602
                                                Encrypted:false
                                                SSDEEP:384:0h0QMqHM3EbMYFMOuM0cMn71MuMMxsM98M0n4MBHMovMmXMqQMrdMlOMZzMWHMBL:0ZWa
                                                MD5:1048A7B7228F9643A5FE561B4A42CB5C
                                                SHA1:F2EA8DD662AA9FB5E806C15D95CE860E72A391A1
                                                SHA-256:6B15C5E4631F38713350A396536F2669CBCAF311A12AD3D8B8E4198D89C300A9
                                                SHA-512:3C4F8CC6241A388507393DAF5B9609DE147C4435C8B22D28445F550B20BA7E3658F5BF2CD6AE44AB6D52BE9C4DA91AD9EBD22C48924EFEC5DD87666752F4E87B
                                                Malicious:false
                                                Preview:ElfChnk.........@...............@............l..Pn..!.n......................................................................%E........................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............)..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.283176297524441
                                                Encrypted:false
                                                SSDEEP:384:mhb1Sh151f21Q1c161J1fA1eE1cj1/q1f+1Cz1410C1F1f81H111f210111X1fIq:m6vPCDe2v/bgrJlrxbz3t3fAQmLS
                                                MD5:75AA372FAB070F2A5991E804DDB0D4A1
                                                SHA1:AA2669E773ECFCB8BBA56BD3CEFA40F4F909211D
                                                SHA-256:4EC4B490619FA136A78AA2139E6D4B525CE9937494BC72CCAE454910D2E5F82C
                                                SHA-512:3819BBA8EB81EF2DFA38DFA498733FA202C7475BCEA3659063BB9FEAC4E17BF66259E1CBBAF0A59EA237A05BAF3E967D0B7612A508F8F4AF4B9E0DE97CC6AAA8
                                                Malicious:false
                                                Preview:ElfChnk.0...............0...................`.......Hz13........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................1.......................................................**......0...........]........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.322944754176528
                                                Encrypted:false
                                                SSDEEP:384:ChnIFwI1IcIIIEI1InI0IXInICIWIzIOILIqIhIXIJIrIPIMIiIMI/InIFIxImIH:CuxxVqRr
                                                MD5:7D03E0539908FEB6C07217FB2E920E63
                                                SHA1:D729952004BAF2D3387DDDCDDF6ED5E75DEFABDB
                                                SHA-256:C58FC616CAFFDCE8725E3992E68AD8A2EF0A2E72FBA4A4C093DA10B439C91610
                                                SHA-512:9B60435FAE81139AB287DA034375174FAA968C08EF07A47562020B4F2B70F2116D3757092317CBEE7F93ABC8F61B7CA9CD2983B4345CFC5D9DB4B1489FAF59C6
                                                Malicious:false
                                                Preview:ElfChnk..................................... ...............................................................................wI..........................................0...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..h...........r.........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.154051321529949
                                                Encrypted:false
                                                SSDEEP:384:yhqILI6I6IUI+I4IZIhISCI3hUICIOIDIMIfINIEdImIDIXIjlII+I/IAIiIkItl:yHZhxKkDBhT
                                                MD5:2AF21970A94B7B248E10B8930242D0CD
                                                SHA1:47FC86C0E69F376354A441EF2A9596F40CAA4EC2
                                                SHA-256:ACEB31AF046E6F00B39C5E018FB30DE56381A8B7CA5CB02F3643F9AC8EA06F1C
                                                SHA-512:4E4055C49F6215A621AAC30BC5D788EC195E1F6C46B9E17D4D488D96302D29EE38F2EA5FE5DC59CA927BDD7BA65D8F9DED54BF076B5BD0B123060A9EA3297241
                                                Malicious:false
                                                Preview:ElfChnk.........Q...............Q............o...q..dSn.....................................................................O...............................................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..................S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.8994582265739917
                                                Encrypted:false
                                                SSDEEP:768:941WS5OAT1rPgAT0nH15T0nb15T0nQ15T0nW15T0nr15T0nB15T0nh15T0nb15TT:/ScA
                                                MD5:3CFF12063849828DA79F5F806431C9F4
                                                SHA1:245D6849A3AD41185EE127408EC9F38DE1807809
                                                SHA-256:8F33BCAA3AE87A8380ABBB028FAF971F36C2704F92787057AE13D10DEF14BEAF
                                                SHA-512:9290784A8EF18BA2FEDC78C842CC9CA298F9C81333A75B4A91B63A544D783380F75AEE1B5A4458C51B79A23CCDB12AD7E7310893CF0B78270BBE4E2FC32CC396
                                                Malicious:false
                                                Preview:ElfChnk.Y.......[.......Y.......[............'.../..\p.......................................................................dZ.........................................B...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..8...Y........n_I.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):90088
                                                Entropy (8bit):5.041080490426505
                                                Encrypted:false
                                                SSDEEP:768:wB0xRaL00JxGNzYFmH8BK3rBKwm5lWB0xRaL00JxGNzYFmL:zAJ85YsFSl9AJ85YY
                                                MD5:53CCEE98A24A497C6F5BAEBBD63DFB40
                                                SHA1:7EE96489259EFFACBCAD415E336D81F005E74883
                                                SHA-256:3EBA86A99BB4926E1DF7DC960A49D9732DFB9AE1ECEDBCF8E113381DAE364C47
                                                SHA-512:4F7D67B2054E313160284B0D75974D4413D1A5ABA96742221D1525D247211440D972531508A6FF999BA16B05B12CEBFE36B3F0B34C7B90570DEB9BEE8B8AD172
                                                Malicious:false
                                                Preview:ElfChnk..*.......*.......*.......*...........T...V..-p.........................................................................X................^...........................=...........................................................................................................................f...............?...........................m...................M...F............................................L...................>..................................................7...........gP..................**..8....*.......H..b......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:DIY-Thermocam raw data (Lepton 2.x), scale 4-8, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 10384593717069655257060992658440192.000000
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.0533171672653245
                                                Encrypted:false
                                                SSDEEP:384:4ho8N8M8p8d8I8K8t8v681o8t8K8aI848s8D828P8N8285818n8U858w8v8yt8+s:4j31lT
                                                MD5:20388613A02F9F423D8F57E3BCD31E3F
                                                SHA1:B6B3C2BC7912EBC4C1F471E69BE24FC5D73C158E
                                                SHA-256:16989E5FFAAC19D299E6DD0A8D053592A38BD543CC73FD0D25B2D6F1AED484BF
                                                SHA-512:362D2921E26F7B4FFD0BDFB9D1A12EBAC2A2B00F73A4228C78D6C64B5A631BB1B1CC0FF9C5351CA25BD7F6352F73AFA2A181D23CA7D9334F0B1C2883681324A5
                                                Malicious:false
                                                Preview:ElfChnk.........@...............@...........8f...g..b_....................................................................../...........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..(...........e...S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.222584772363656
                                                Encrypted:false
                                                SSDEEP:384:whuvnvmvJvBvdvrvwvSvovl+v4v6vvvmvcMvOyv4vCvAvTvGvP+v5vRvH8vUv5vl:wNzTEejRRT62
                                                MD5:F68A56E14DF7E71D5046610D03575DD2
                                                SHA1:6A42F3032A24AFA87B49D2636C7AD5F96B2D4602
                                                SHA-256:E8190AFED22D6AF4C742D7336810FFAE74D8C375E2164E3FBBEFD0E84F2BFC16
                                                SHA-512:5917D30E4A8B82BCDB7A651AEA772AE78F883F024F9FA25DFD18D643533A9ABAE9D2243D028CEBA59056359AB413FF56286B05582A1ED87A7A247C946A13DFDC
                                                Malicious:false
                                                Preview:ElfChnk.........................................P...S_*.....................................................................H...................v...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................f ..........................................................O.......................**..............l..-T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.092255924276787
                                                Encrypted:false
                                                SSDEEP:768:OS/Bp+UdTU8UqOUyGUwaUpcuUvKUruU6DUZ5UtaUKOUpSUv2UwLiUIeU7bUhCUrj:D7rw
                                                MD5:DCA1104FF349ECC42EDFB32DA2C929FF
                                                SHA1:30BAEBAAC2239E0AC6C0CA67EDD94ADAAF5C49E1
                                                SHA-256:E2C9438BC0B8F758BE72E9A8A39BA2A0C34F446B999EB9843BB28F7313DBFF11
                                                SHA-512:8B5C3CA7B8C6EA14C6CB5BDE8ADF0BBE8B40F49A9AB0400276346BFCF9B44562886B0458D52E89865E8466A48A2723DF90517D4DC3A67878C3F35F2DE35409F7
                                                Malicious:false
                                                Preview:ElfChnk.....................................8...h....V@.....................................................................t..k................C...........................=...................................}.......................<...............................................................f...............?...............................................M...F...........................................................&.......................................................................................**..h.............h............>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):112240
                                                Entropy (8bit):4.296434942189561
                                                Encrypted:false
                                                SSDEEP:384:Vhd2h2x2z2W2q2Ez2S2h2HC1C+CACA2q282vo2Q2f2j2S42N262W2FCECdCZSCve:VGC0JBlUdPc6isrzh7GC0JBlUUA
                                                MD5:2674A21FF6F1505B5963BE4A76A7FC56
                                                SHA1:E2F1C55083140AC8FC7B26D1F6F6574352FC70B1
                                                SHA-256:7B8102EDA003C8957DD45A034A2BB8CBA022CE25D08BBE7F17D78A30027654F0
                                                SHA-512:D2089DE426D2F47EAD615B7EF7697BAEA6D70B34704F6FB6D9C52FC0722F4CEC05F076AEB7DF29B4801A6A4EA4A9E565A773B4D6D0937C6A2CBCB1D712821EAC
                                                Malicious:false
                                                Preview:ElfChnk.<.......s.......P...................h...p.....\.........................................................................................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................!b..................................&............................................................;......................**.. ...P........v...9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.4163787042535234
                                                Encrypted:false
                                                SSDEEP:1536:BtJTcmXTfu/hD9ouzDZx+DWQeD8yiM4C0BYEeKee6lFY99PXg95RA2IektFNEfJ3:bJTcmXTfu/hD9ouzDZx+DWQeD8yiM4CB
                                                MD5:2C40982C669E800D28FBEF744E94F7E8
                                                SHA1:484747BFB6E16ABC10B46E847B570D96512C69FC
                                                SHA-256:36D46627AEC41A60A30EC9BFFCA13C6E6920F8E30974729E8D704691D37323F9
                                                SHA-512:3219159B58E928C768D81B8BDCA294F282DDFD390F1D4EB5EB2CD0AE7B7D784191CBF674AAEFC56AB0B3B48C20D4D5331D9C7C75B40E8DABF7BEF96426A73E59
                                                Malicious:false
                                                Preview:ElfChnk.~...............~.......................x..........................................................................<!.N................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......~.......=............./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.466702776592555
                                                Encrypted:false
                                                SSDEEP:1536:FHaeal41B8ZxWYlZnDit0fHx2JYcYAwD6jeEb8TkZk8LOD6NMhjqMB2TjOUnZr79:FHaeal41B8ZxWYlZnDit0fR2JYcYAwD+
                                                MD5:269EB800A48C0219ACA8BC14F8EE5A65
                                                SHA1:5FBDE99F25DBB07D09A62D297DF71354C066F050
                                                SHA-256:5176C7E78DB12B9592FB6B7ED68425F69A31614C05C0584B46EDBFCA3C0F8A3A
                                                SHA-512:C8A5ECE46B9E5F2C7584C8BC62490AA0E010E5EC05A7BF2FA45682E34245528979313944EA2D2038DF4F81D33E10841019B1569C21C7339173BB82B3E5A3EF52
                                                Malicious:false
                                                Preview:ElfChnk.0&.......&......0&.......&..................5Ty.....................................................................u3..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F......................................................................................................................a~...y......................**......0&......0...b......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.954412402045104
                                                Encrypted:false
                                                SSDEEP:384:whq7v7l7UZ7r7B7c7li7x/7Z7Z747A7rK7Rx7fy7P7C7I7F7W7DX7z7C7B7Z7f7/:wGzb
                                                MD5:03696117C0BA9C2C95C22E772DBEA4E6
                                                SHA1:4F0847F88EE902ED1D2CC250285B168BF1AB909B
                                                SHA-256:FBDFAF16AF3FB17598D2FB5C297EC892088E8A1835D9AD6432199509F0643CAC
                                                SHA-512:66EF082D28C570148DA9BDCE86E9FDD1A7680E36B1E7A4D003AC2DC479AB82884BA0CA3A67B07F13A41364954161EF3B2EF4123DAF6F5FD932BF67895B872544
                                                Malicious:false
                                                Preview:ElfChnk.........2...............4............\...^....7/......................................................................u9........................................0...=...........................................................................................................................f...............?...........................m...................M...F...........................................m!..................&...........................................................e.......................**............................/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.25822770317222
                                                Encrypted:false
                                                SSDEEP:384:NhwuTDFbuJuuDu/uVuuvu7uu6uOuU/ueuu/uFuuVuauUmuPuuAutuu2kuzjuUauE:NHawuFBoRW3L463zLKxW8mu16S
                                                MD5:DDCD62FAAA1CE766D297E05F0DDB26B3
                                                SHA1:5CF8B718B2B3A4A1C87D94B994E2BDABED86A50A
                                                SHA-256:FCA644893C2CDD31E1CE788B246674052172095C982D75D820D8115E88F03E06
                                                SHA-512:A3861B4E6EC46049C8D1B45FE75DE3D49050E55A7D32BB9BA00FE86E830C836CC9F3887268DACAE6DB969D1F281011DAA613F23736BD325B6AA98035AB17505C
                                                Malicious:false
                                                Preview:ElfChnk.6...............=...................8........,.:.....................................................................r..........................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................o...............................**......=........*............/X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.3447363560139163
                                                Encrypted:false
                                                SSDEEP:384:Wheu/uSuWugu5uGuFu5ut1u7su+uPudu3uxuIuTuxufvuIUubuMuBuquZu/uKu9X:WP6ZDGl
                                                MD5:2F61501D29AE79E599E552C9A6442CB4
                                                SHA1:6C26208325E31C69A8D1D5E7A8FC952FDF202510
                                                SHA-256:BD98E75BAE4BB43D6E1584554D8321B1617340248F7C1D1543E96EC7DADC9AE0
                                                SHA-512:FF60CE056292FE3F0B4506414510762F927FA435DE32AFB9D0703F0D9D3ACD6E0B291134F96F5ABB8E9A82569C2CC856EABF5B7E383CBB8BF70A0C8E31908B7F
                                                Malicious:false
                                                Preview:ElfChnk.........H...............H............z.. |..ZO.......................................................................F..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..............%,H(T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.2935182356592674
                                                Encrypted:false
                                                SSDEEP:384:/AahPAodANA9APA7SjAkxArIvjA2UlA/A3AnA7ATAnALAlAfMAYQAgiA/ABAxAsD:4a9SNmIvvfek9kO7
                                                MD5:DCB63FAA47CDAD939650B4C2EA578A0E
                                                SHA1:8AFAED7629A0205B1B7266632100F7BABD6675BE
                                                SHA-256:CDF51B54252928585F89704A574A3ABF1E435D0C4DDC4D3E941C6A4D09D73385
                                                SHA-512:9D84DC3B7BC366BEA09D07247FF310FA893FC56E8EBB00F740F307E92AC8C27F818A0E0CBDF904B2245CDE3BF51DE668B0E4E17B0B37737040C5FF849B3023E2
                                                Malicious:false
                                                Preview:ElfChnk.........r...............r...........8.......Zv......................................................................M..................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...........................M........................%..........&...................................................................................**..............}y.._........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.423808035469549
                                                Encrypted:false
                                                SSDEEP:384:Ghk+pUYnpdo4pd+pdnpdwpdVpd+pdrpd4pdRpd/pdqpd9pdopdKpdXpd8pddpddp:GI
                                                MD5:6E571AA2BFD8C7D4F17DFD82CFDCDA9C
                                                SHA1:C68AC6C3F4FD5B961DDFE138F8CE5E56A3694A27
                                                SHA-256:BC394C6B0F6AEA31A8F3FE15E0172C511AA463280630CF0E15CEA7DCBD797618
                                                SHA-512:2360CECE4EDD2CB99DDD5BB83EE87CAD5D0DF7F8D40E3AB75B19CCEA6A73FE04EAE90731CE367A3E8816A30C61EBAD659DB720255C8A1321C1BA9EDC5C22E051
                                                Malicious:false
                                                Preview:ElfChnk.&.......L.......&.......L............... ...........................................................................P...........................................:...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**......&.......yN..^........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.117968077837206
                                                Encrypted:false
                                                SSDEEP:384:ghmCpaKpmpL6pAsUpfwpAbdpABApAGQpTVp2LMpIJpAbWpW8pAWWpAJap8kpAE0d:g
                                                MD5:FE6A5A39D716E27F4DFECD9FAEB61B10
                                                SHA1:0ED31452759828F03EEBCEFD03B32355607A950F
                                                SHA-256:79772236BCFF6DB44F50572DED0E83DD6497490FC03198BFE8918EA48A5608B1
                                                SHA-512:71E17EE8C637CD359F1B603E2C2476BCC8C53B2081BC5BD22A1BA35EBDB5C599C47CA78122AC255E2B239FF3078B061FA369EB6C7259888D387715B1B52B3823
                                                Malicious:false
                                                Preview:ElfChnk.........R...............R...............X.....p........................................................................1........................................D...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................i'..E...............................................**..............a...f........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.235899518477543
                                                Encrypted:false
                                                SSDEEP:384:GhoCKCQC8CUCLCYC7CFCuC2C+CxC1Cl0Ct4CCC2C7CLCtCeCeCiCmjC0zCpDCMCl:G+fNJCRxkjZHYUL
                                                MD5:B38736C9331F46BB66F7C077D4FB216B
                                                SHA1:A0C8B7361D542BBD863A1324B469E5AF8D7786BB
                                                SHA-256:ACAF5B021198028596C04AB5965C3D5DB83F5662340587854E3945EC73DA33EA
                                                SHA-512:80F1AA920804AA9A9258719417489F893E0D46D5992A1B0A09A3E956AAA51A6EA821FC2F701E0C55DA2E44DC99081962628A8FB22684F12D12848BE62AD29171
                                                Malicious:false
                                                Preview:ElfChnk.........P...............P.....................f.....................................................................Mj.X................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F.......................&........................................%............................................................................../...**..@.............1.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):77176
                                                Entropy (8bit):4.6645523180592425
                                                Encrypted:false
                                                SSDEEP:384:1haMjgMlMX/MjuM8MoMkqMK7MMMZ3ME+IHMBMEMShaMjgMlMX/MjuM8MoMkqMK7b:18dmIE8dmIiLbyD24npAbySbyAbyU
                                                MD5:303AA5F5E2C6FB24932788E65A741558
                                                SHA1:1B4C7B7938984CAB0ADDB564410D0CC8E1E322A4
                                                SHA-256:54ABEAD166660B399D1BDDE7A456E6179044BD234A5BC92E6BFD3D6941B5FB3B
                                                SHA-512:D7963183A3C5B0D2720CFBFF27218B10085032F4FEE9E206C0395CCC72B6618331F41B693CA1447380E4A9C61A1FD70AA9EFC7A32F274F1E3F4A7603CF5109B9
                                                Malicious:false
                                                Preview:ElfChnk.M.......Z.......M.......Z...........@+..x-..q.'k.....................................................................(.........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..p...M........*.L;b......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.1229765916491203
                                                Encrypted:false
                                                SSDEEP:768:qvgffnPNm/2sY3pLwIkJ2jLHbj9fr7w2imMFopTMFw3grHUP9L:jGaY
                                                MD5:E2C65BBD5D87415E9910985BA58A8907
                                                SHA1:0E8EAB4D1851ECC6F18D344B3DB9C86F3B2AA2F2
                                                SHA-256:7C708E089642B96397D838A4FD292FBB320128D682812C1683CDE8839C6B59CD
                                                SHA-512:6B4745D23761280F029113B74F80ABE98645FF514F457F63AD7BB396A08E5E25F48FC7B53F302084F99D6622FE6740B47780B4B594FE5ADE6FF03ABAB7F0E0FC
                                                Malicious:false
                                                Preview:ElfChnk.........@...............@...................~......................................................................f................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F.......................&.......................................fC...................................................................1..............**................8.S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.20402851336363695
                                                Encrypted:false
                                                SSDEEP:48:McYW4V8rP+MZQNRBEZWTENO4bpBdoEi/6FgVt:56ViKNVaO8toN/6Fg
                                                MD5:CE95833884C708F37CC05E0CDCEF8E46
                                                SHA1:7BB707C67617A194910BD2B485037BFFA89C129F
                                                SHA-256:48BE760F366FD06F616E79A8CE6154F0D23934B52E70D6AF09E6086418C032FC
                                                SHA-512:41D9196E48DC2699D418519552EC95CFC77CD6ED47A675A16063B37E9B03C47377D87FE87A7EC88AF4FC9E7A54245D6A9C48C9889AFC206682AF680E9DD18449
                                                Malicious:false
                                                Preview:ElfChnk.............................................x.......................................................................G.P................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**...................b......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.299001342102014
                                                Encrypted:false
                                                SSDEEP:1536:NKoKKK3KOKbKrK7KAKqKpK0KXKAK8KTK+KfKvKYKqK4KGKkKhKjK9KyKeKhK1KKx:NKoKKK3KOKbKrK7KAKqKpK0KXKAK8KT2
                                                MD5:03552A4F7B531D2EB96753FB11EC829F
                                                SHA1:EEAE533AF4991AD6CC555809E1F71A51FE53FC4B
                                                SHA-256:A2ECA29DF5CD7BB66000786AEC76AF73602E8A79E16AD88BADF24991F7F25B04
                                                SHA-512:57367214C1890E06779B8A1A5A52D88EE40878EABC6C14A20FE147A64F240CF64293A4B0514F549CA569075AC9AB3F9CFA598DB40F901F3EB6281AC700D61E57
                                                Malicious:false
                                                Preview:ElfChnk.....................................X}.........;.......................................................................................,...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...................................................................................**..H...........N..)........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.095188966022527
                                                Encrypted:false
                                                SSDEEP:384:ph8i4i/yi6iDiDi5iwiliM1iNiUiXKbieifiGiOiOiIiIiBigi1iVinixiEiVcim:pp6xKokKN
                                                MD5:523D48B5387587616EA21E6A94774095
                                                SHA1:2F0EC8A73FA335F263B7CF6ADA6C032660F207BD
                                                SHA-256:BA7372E3E08B582098CA0C7EF8EEE1DA20626813BD4575D13FF51AE63BBD07D5
                                                SHA-512:E33770570E91F5DAB447EB2C47BFD7886A50023C8C088329BABE173F7367E0C282AB48D167A80F01C8DE5DCCD1059F53E9C605C622A09AACD37814D80B868B5C
                                                Malicious:false
                                                Preview:ElfChnk.....................................hQ..pS....n......................................................................'.............................................=...........................................................................................................................f...............?...............9.......B.......................M...F...........................................................&...............................................................q.......................**..................f...........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.302941540793714
                                                Encrypted:false
                                                SSDEEP:768:/xSaa8NlaranavazaZa5agCadadaZadacaRaZasasaUaUaMacaIaYaEakaAagakH:HN
                                                MD5:F05CEF4F1EDB48376359297601D62DF0
                                                SHA1:FDFE6A27ADFC2F2A6696E21DA4815B86D2E7B9E7
                                                SHA-256:D29958C2CAC57FBE44547D04343C8ADB2FBBA9866E2AA4CEDF3C50162D9F37F8
                                                SHA-512:019458A90189F3BD4178239D17D926B4BCDD6AAE8A9CEAB69DC58367F1D24B21CAEEE42C46C846357FA5636EA970E4BAA921642660B0873E81CF737A7177F234
                                                Malicious:false
                                                Preview:ElfChnk./.......x.......E.......................P...............................................................................................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............................................9...................................**..H...E.......3..Y.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.9300342825527537
                                                Encrypted:false
                                                SSDEEP:384:ahNXDcXxzXZXeX/XOXMXauXLiXCXVX1XYXZXeX+XiXfXuXFXRX9XsX5XLXzXgXyA:ayAgbHqOT
                                                MD5:6228DF6BD900471E44100D5197326742
                                                SHA1:5DD8F5BCD4B7FD0B80B07CACF8E1B30CB26AA356
                                                SHA-256:1EB3B611F3768887988B150BE7580211BF350D96231EE88152DA4A045241F0F3
                                                SHA-512:FD4C91B7B21ADCB70BF9385E449340DFF723A753089E95C19FDC3E5B0207C98F59D9DCD7B7E8961D509E7A7F58214775FDC8287250C0A9238B817226ACACC171
                                                Malicious:false
                                                Preview:ElfChnk.........J...............J...........8...............................................................................8M}.................j...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................C...............................................................**..............C..?T...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.33524841081757
                                                Encrypted:false
                                                SSDEEP:384:oNh2LmImemomHmOmamCm2m2m3mnBmGqmFmJmFmKmrm2mOmsmSmmmVmghmRmBmBSE:C/fi
                                                MD5:835E1407E39A6AE44A9D2B481027E4E5
                                                SHA1:F0AF5742729C87ED395CB9C225D22CCC868E2A35
                                                SHA-256:F76BD7C128CA9499D89A15D40E4EE9F2AE18C84E62F8FC809AC5465F58F04FD3
                                                SHA-512:BE76926D24CDCB11AE3EB2BFCDB9837475A3CA2D6E8F371509020D7FC7CA5D13D3C3F9D59D195C2B5C96439C178C208D00774EA87B54344B2CFD9B4B84361C19
                                                Malicious:false
                                                Preview:ElfChnk.........................................P...V.......................................................................^[6.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................&...............3...................................................................**................y........../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.9843980340061953
                                                Encrypted:false
                                                SSDEEP:384:ch0h21c2kS27W2VP2en32x2U2x2V2d2N26A2q242R2V2Y2w25vb2C2k2o2g2s2I9:c2C5
                                                MD5:8D7BB8981B367C4E592993A6A5BFC5DE
                                                SHA1:20C19777D0B878E1D54D5C680D38613E8304C875
                                                SHA-256:E5DDD368DA1265E30795E81232ECBECABF26DF9FFB35D314CB3F7646DDC6EA83
                                                SHA-512:F4832090398D9E0543CD65382727CDD223303F2654BA65661F60571ED527DF5C6306C18584B0B84467A12CE97A026C233E3BA67AA5EA7814F2F0C5B97C908642
                                                Malicious:false
                                                Preview:ElfChnk......................................]..._..........................................................................KLY.................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...............................&...................................................................................**................+.g........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.294056146253322
                                                Encrypted:false
                                                SSDEEP:384:tVhpR+daRsRjRQRPRZX8R6R/aRXRsRqRbR2R7RoR/RlR9R/RlRlRaRMR0lbRLRzs:vLlK
                                                MD5:6DD239808BD88D42351C2EEA2ABC389D
                                                SHA1:06647C31A9E0FA1C675F07A86B23FC720DE5745A
                                                SHA-256:A1CD5FFAD60089B5C0612CB6A8FD220A325B74E375F7BDB278D23DC487D441B3
                                                SHA-512:1EAD1CA06F0CE87A67B9485B011A5B41368FCCB2BCC745FDB05D100C553047C88104C1E8B63A33B4FE16438D6E1254778E0FCE75B6F78C7697A8A7C04125F04C
                                                Malicious:false
                                                Preview:ElfChnk.Z...............Z.............................:.....................................................................m.......................2.......@..............=..........................................S.......................%...........................J...........................f...Z...........?......................................?.......M...F...a...........}...................................y.......&.....................................................................................**..X...Z........;..9..........>.&.........>..'.W.U2..9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.3838762614088855
                                                Encrypted:false
                                                SSDEEP:384:VhCh7whqhvh4h/hMNhihhiVqhXhPh5Vh+hth0qhPdh4zshS3hi9uhiZhhpYhATh0:VkMfO1m1eH4
                                                MD5:7B1B0FE49DADAD5022D78BB7714E20BD
                                                SHA1:12CD354E98A76E3F9E6727D24ECCC8D5FA2BF533
                                                SHA-256:47D30B17F8CA29F2C362D37EA8628D8EF4352881AE33A73C21F3835506DF88D4
                                                SHA-512:2EB6A427294030F8032B265EA0D954B9B167EB00B0E554327D446A08E71D7CAE37F83EAF9A52C500B863F34BE22310C04AB0CD51D6C089DBCA5336E1F17AE560
                                                Malicious:false
                                                Preview:ElfChnk.........6...............6...........X........p*......................................................................{..........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................A...................&...................................................................9...............**..@...............,........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.547201121718876
                                                Encrypted:false
                                                SSDEEP:384:vh2VaVYVtVbVwVoVTVJVgVZVrVdVfVKVHVl/V+VnkVkgVOVEVRVtVsVCVFVhfV5t:vWIreU7U7enh
                                                MD5:5FD3A385D7B18B7EA01C85E16DB7A277
                                                SHA1:6AF432C9818D0441D8B1654A9084A21041E6BF29
                                                SHA-256:9FD313A4051DA417DE959DBC7AA695CF1A1796E1908C1C8CB309DBE335470AFA
                                                SHA-512:AD2301424528DB83E94D62419C554CF6EA390C936C3DBFB4FAF16DB4F06A35D89AF98FED3E6FCF8CAB6E4C3E75183E215C83462048A6D4C24B00A1922182BBA4
                                                Malicious:false
                                                Preview:ElfChnk..............................................e.........................................................................1................&...........................=...........................................................................................................................f...............?...........................m...................M...F.......................&...........................................................................................................................**..P...........F~..S...........w.&.........w..._.|.1+O.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.287794448783288
                                                Encrypted:false
                                                SSDEEP:384:wmhuZBwBQ/lrBwB7/FBwBK8bV5BwB5dYBwBkBwBHBwB/BwBGBwBkBwBd5BwBJ+BR:wm58bSFN9
                                                MD5:89C7BC48FFFD9628D9A6103818C055CA
                                                SHA1:F29EBA3AEA6AA54736FA90F4EB63A1DED545AAE7
                                                SHA-256:64DED1618C83EBD2B93D12B422D9070829A5017EF4A1E3A2708531B05460261A
                                                SHA-512:BA93F7672D25CFB44CC681B80F792BC9216174C32F57B3194A3ABE78CEA6DC358666B18BB6DDED04D06B3672D0E9A91B479043D9A321980AF18EF7363418A511
                                                Malicious:false
                                                Preview:ElfChnk.............................................$..Q....................................................................._`8............................................=...........................................................................................................................f...............?...........................m...................M...F...........................W...................................&................................*..................................................**..............6\. ^........./X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.396158782726457
                                                Encrypted:false
                                                SSDEEP:384:Eh1wUEFUEmUEMUEgUENUEqUEqUEWUEvUESUE4UE4UE3UEbUEpUEpUE9UEgUExUEy:ELlWRqXJQe
                                                MD5:C1DEA974D58455D8493A202ADB588FB7
                                                SHA1:9FCD7DDF661A6D128E50E2096779EEB898B2A1D4
                                                SHA-256:AD0E19E7EB4FED43D603E7E9182E6A3E19A003943A5C0AE798BA1750C3A81FB9
                                                SHA-512:36F86C29100AE9498C4038ECB2CA97093401D3BFCDEB1D7AB182775DCFE3A0E37AA3F1C5F4FD2D2F29DB4BC21F18B8D1529C179FB9EE201F485738311A052848
                                                Malicious:false
                                                Preview:ElfChnk.........+...............+...........x}........X......................................................................D.!................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...............................................................&....5.......................................................3......................**.............. 2^O.9......../X.P&......./X.P...P&.C..:.v........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                C:\Windows\System32\winevt\Logs\OneApp_IGCC.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.440181632759416
                                                Encrypted:false
                                                SSDEEP:384:3w0+VsWZttC95UZhVhRoSxHJUBvv3R2ipN9J7odz6L7RPLfVXYgXcIycjd52T42p:33sfo/0AOQhxf27SVSVTuziNpBg12U
                                                MD5:CEAA4AAAB1B8F7C31C7DD50A936CFCC1
                                                SHA1:4ECD9DA97D97F49BC8402DBA4B294A26E4C7F75D
                                                SHA-256:80796B2BEE26315A374EDECB2B93BFB3B959176814A6153F8F5F52343E58C1BD
                                                SHA-512:BA27B1F667D4C5878E74D0C16799E1FE2B685B412B91EE9DE6D2D02F00AFD8DBE4AD5FCEEDF55BE6F7B4F120542666AB01C5E83533CD7632616FA604984FDC7D
                                                Malicious:false
                                                Preview:ElfChnk.........+...............+............Y...Z...1......................................................................^..F............................................=...........................................................................................................................w...............P...........................~...................M...m...........................x...............................................................&.......................................................**..x............Bo.,.........|.=O&.......|.=O.s.Q...W.E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..j............{..P.r.o.v.i.d.e.r...G....=.......K...N.a.m.e.......O.n.e.A.p.p._.I.G.C.C._.W.i.n.S.e.r.v.i.c.e..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V

                                                C:\Windows\System32\winevt\Logs\Security.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.372980188880248
                                                Encrypted:false
                                                SSDEEP:384:8TvFRRBUotxBoN0Xo5oko5kco5k8o5kGo5kSo5kvoZ9ojto5kKo5kBoZt8ojPo59:wNxgIDS1+
                                                MD5:648C3407DE6D588BA047F423EB6AC14F
                                                SHA1:9EAB27DC9B18F8078F477ED03BE3298E38C77403
                                                SHA-256:C5A3D3733EAB3636EB7E38C10ED2115E3A774D43284F3F528F69DA0C62F96B20
                                                SHA-512:F89E70C6F3F1F15448649FE038EA836AF07ACD842241ED2B5CD2557A516FB203D934D480A1A92EA90B19C278C683A18FF7A92EDF3EF65F9B2C7F16EFFFE151A4
                                                Malicious:false
                                                Preview:ElfChnk..................~.......~...........................................................................................>}K................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...............................>.......................3...........................................................**.......~......F..;;b............&...........0.P\...3.Du?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                C:\Windows\System32\winevt\Logs\System.evtx

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.4329766867514815
                                                Encrypted:false
                                                SSDEEP:384:JFRKXebw2SwXwFwfwI6wawSwfwLwZw3wEh2HJ9bPDda/8yQ9+9s9NvisQDyMY9UW:D1KhR8XwKiYI/fN3l0pzFQZZZX/v7m
                                                MD5:52B5BBE067D274D4AA8296DC49FF439C
                                                SHA1:5A077C8078CBBA8A967935ACF2C35F7132ACE3D2
                                                SHA-256:E632EA1B33D2FD9E4CBCF6B3B6BC9E4777A5D0EECE6209D36B4FB9D8D43F8C19
                                                SHA-512:D2013D66E989A70AAC28F6B4D19B082DE79A25F0EF1FADA51C9AA269DF61E1DBF224749031B8F0CCEC38D4C21C90401C55BDE6FD6AA99E0A796599EE9C29A4F1
                                                Malicious:false
                                                Preview:ElfChnk..................0.......0...........................................................................................u,:....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...................................................................&...........................................................................**..@....0.......5.;;b.........}.T&........}.TA.P[J.......;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                C:\Windows\Temp\tempdll.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\dropper.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):339456
                                                Entropy (8bit):6.315691522700598
                                                Encrypted:false
                                                SSDEEP:6144:fIqzcfohaAYGj0+qR/COkEPb1vOFMIOJ842P+Rjchv7w9z+SmGRA7K:f5zcfohaAYG5qRBkEPb9LIwSgcl9G
                                                MD5:034B366A4729CA8D7139082C3403A180
                                                SHA1:CCBCFAAB603012A5DA5F1719436BB6C3243C4228
                                                SHA-256:85DFF42BE6532ED566306DBAA61799AFE807CB5D7033EE6B9E8AF901F5B40F1F
                                                SHA-512:466EBBDB79B7AC49BB53724014044A4461F45F81D662371F5BD9A8B90B489AD8C3536E6BDF4F59782FBF3158C4119B5BD6A709DC05C1059CF571EF8D4106A279
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........vS....................R.......R.......R.......R..........d............R.......R......Rich............................PE..d....*.g.........." ...&.....t..............................................`............`.........................................P...D....................0..0............P.........T.......................(.......@...............h............................text...+........................... ..`.rdata...G.......H..................@..@.data........ ......................@....pdata..0....0... ..................@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                Entropy (8bit):7.103100683598722
                                                TrID:
                                                • Win64 Executable Console (202006/5) 92.65%
                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                • DOS Executable Generic (2002/1) 0.92%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:dropper.exe
                                                File size:3'264'512 bytes
                                                MD5:b86ac1da682dbcf7461084e143b3b1ef
                                                SHA1:89b62f8b5d49330f9f2e56267b05797f0100a0d4
                                                SHA256:b8fb42e30a46967c65fdbcd33e0d301049f3b077043a367ebdc1d89b73e210ed
                                                SHA512:689a95d6b4e92381ea5e2f5f5781896b4f84470b5b5f870e96431bc133e7ab03d0bccbe69403e1a07780f3ea8d31dd830e2bfe5084603939683555dbf32ca95e
                                                SSDEEP:49152:SmkRNFMuXEPMAFNfomv3p+fPBiTJn2UKC0oNCBYWJw2uDgU6BVdZo:uKpyi9dow2uu
                                                TLSH:D0E5AE16B64698ACC16AC478834A4A73AA3574CE0B3579FF05D486393FA9FE41F3C709
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.F/(.(|(.(|(.(|!..|$.(|..)}*.(|..-}?.(|..,}!.(|..+}+.(|Z.)}-.(|(.)|..(|(.(|..(|E..|).(|E.*}).(|Rich(.(|................PE..d..

                                                File Icon

                                                Icon Hash:f0ecd6ce8d8e878b

                                                Static PE Info

                                                General

                                                Entrypoint:0x140157940
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x140000000
                                                Subsystem:windows cui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x677F2B5D [Thu Jan 9 01:50:21 2025 UTC]
                                                TLS Callbacks:0x40141ac0, 0x1
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:0f026d0bef75c6cbd3ab3d29123202f8

                                                Entrypoint Preview

                                                Instruction
                                                dec eax
                                                sub esp, 28h
                                                call 00007F4E18E3AB68h
                                                dec eax
                                                add esp, 28h
                                                jmp 00007F4E18E3A6F7h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                nop word ptr [eax+eax+00000000h]
                                                dec eax
                                                sub esp, 10h
                                                dec esp
                                                mov dword ptr [esp], edx
                                                dec esp
                                                mov dword ptr [esp+08h], ebx
                                                dec ebp
                                                xor ebx, ebx
                                                dec esp
                                                lea edx, dword ptr [esp+18h]
                                                dec esp
                                                sub edx, eax
                                                dec ebp
                                                cmovb edx, ebx
                                                dec esp
                                                mov ebx, dword ptr [00000010h]
                                                dec ebp
                                                cmp edx, ebx
                                                jnc 00007F4E18E3A898h
                                                inc cx
                                                and edx, 8D4DF000h
                                                wait
                                                add al, dh

                                                Rich Headers

                                                Programming Language:
                                                • [IMP] VS2008 SP1 build 30729

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x30fb740x140.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x31d0000xc00.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3120000xa614.pdata
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x31e0000x2120.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2eeb200x54.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x2eeb800x28.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ee9e00x140.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x1600000x400.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x15e61f0x15e8005b64992d085589cbc6cedaeac65c140bFalse0.4542394793152639data6.334936668353236IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x1600000x1b0aa60x1b0c0082f8fd852c7b34c5f027d508ffc0a2cdFalse0.7723825191363374COM executable for DOS7.377653773897353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x3110000x4a80x200e9bf70d2d3357e1c21e3977d2ef5ad26False0.34765625data2.7961827382649806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .pdata0x3120000xa6140xa8002e3d9be1606081341edad1591b9a22f9False0.5128813244047619data6.071152298402356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x31d0000xc000xc00f9b869a7cc1c341e59b21fbf2f0c2c7aFalse0.7418619791666666data6.0111462385824295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x31e0000x21200x2200916b0902a870bede7980de9c2a1e4a77False0.4852941176470588data5.406304361389397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x31d0c00xb28Device independent bitmap graphic, 21 x 64 x 32, image size 2688, resolution 3779 x 3779 px/mEnglishUnited States0.7629551820728291
                                                RT_GROUP_ICON0x31dbe80x14dataEnglishUnited States1.1

                                                Imports

                                                DLLImport
                                                api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                bcryptprimitives.dllProcessPrng
                                                bcrypt.dllBCryptGenRandom
                                                ADVAPI32.dllLsaAddAccountRights, SystemFunction036, AdjustTokenPrivileges, LookupPrivilegeValueW, LsaClose, GetTokenInformation, OpenProcessToken, LsaOpenPolicy
                                                kernel32.dllGetEnvironmentVariableW, GetStdHandle, GetCurrentProcessId, GetCurrentDirectoryW, QueryPerformanceFrequency, SetLastError, HeapReAlloc, lstrlenW, ReleaseMutex, RtlVirtualUnwind, CreateFileW, RtlLookupFunctionEntry, GetConsoleMode, RtlCaptureContext, GetSystemInfo, GetFullPathNameW, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetProcAddress, QueryPerformanceCounter, WaitForSingleObject, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, SwitchToThread, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, GetCurrentThreadId, GetSystemTimeAsFileTime, FormatMessageW, LoadLibraryExA, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapAlloc, HeapFree, GetProcessHeap, GetModuleFileNameW, Module32NextW, Module32FirstW, CreateToolhelp32Snapshot, GetProcessId, CloseHandle, GetLastError, GetCurrentProcess, GetModuleHandleA, VirtualQuery, GetModuleHandleW, OutputDebugStringW, SetFileInformationByHandle, IsProcessorFeaturePresent
                                                oleaut32.dllSysFreeString, GetErrorInfo, SysStringLen
                                                api-ms-win-core-winrt-error-l1-1-0.dllRoOriginateErrorW
                                                ntdll.dllNtWriteFile, RtlNtStatusToDosError
                                                VCRUNTIME140.dllmemcmp, memcpy, __C_specific_handler, __CxxFrameHandler3, __current_exception, memset, __current_exception_context, memmove, _CxxThrowException
                                                api-ms-win-crt-string-l1-1-0.dllwcslen, strlen
                                                api-ms-win-crt-math-l1-1-0.dllroundf, truncf, exp2f, ceil, __setusermatherr
                                                api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, exit, _exit, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _set_app_type, _seh_filter_exe, _configure_narrow_argv
                                                api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:21:07:34
                                                Start date:08/01/2025
                                                Path:C:\Users\user\Desktop\dropper.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\dropper.exe"
                                                Imagebase:0x7ff66ac80000
                                                File size:3'264'512 bytes
                                                MD5 hash:B86AC1DA682DBCF7461084E143B3B1EF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:21:07:34
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d20d0000
                                                File size:875'008 bytes
                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:21:07:35
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\cmd.exe"
                                                Imagebase:0x7ff630c40000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:21:07:35
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d20d0000
                                                File size:875'008 bytes
                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:21:07:52
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\winlogon.exe
                                                Wow64 process (32bit):false
                                                Commandline:winlogon.exe
                                                Imagebase:0x7ff66bc90000
                                                File size:944'128 bytes
                                                MD5 hash:A987B43E6A8E8F894B98A3DF022DB518
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:8
                                                Start time:21:07:52
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\lsass.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\lsass.exe
                                                Imagebase:0x7ff76abb0000
                                                File size:59'448 bytes
                                                MD5 hash:15A556DEF233F112D127025AB51AC2D3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:9
                                                Start time:21:07:53
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:21:07:54
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\fontdrvhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:"fontdrvhost.exe"
                                                Imagebase:0x7ff7898e0000
                                                File size:830'520 bytes
                                                MD5 hash:AB7AB4CF816D091EEE234C1D9BC4FD13
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:11
                                                Start time:21:07:54
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\fontdrvhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:"fontdrvhost.exe"
                                                Imagebase:0x7ff7898e0000
                                                File size:830'520 bytes
                                                MD5 hash:AB7AB4CF816D091EEE234C1D9BC4FD13
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:12
                                                Start time:21:07:54
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k RPCSS -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:13
                                                Start time:21:07:54
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:14
                                                Start time:21:07:55
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\dwm.exe
                                                Wow64 process (32bit):false
                                                Commandline:"dwm.exe"
                                                Imagebase:0x7ff697f80000
                                                File size:94'720 bytes
                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:15
                                                Start time:21:07:58
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:16
                                                Start time:21:07:58
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:17
                                                Start time:21:07:59
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:18
                                                Start time:21:07:59
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:19
                                                Start time:21:07:59
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe
                                                Imagebase:0x7ff715780000
                                                File size:365'360 bytes
                                                MD5 hash:B6BAD2BD8596D9101874E9042B8E2D63
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:20
                                                Start time:21:07:59
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:21
                                                Start time:21:08:00
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:22
                                                Start time:21:08:00
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:23
                                                Start time:21:08:01
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:24
                                                Start time:21:08:02
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:25
                                                Start time:21:08:02
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe
                                                Imagebase:0x7ff6041e0000
                                                File size:399'664 bytes
                                                MD5 hash:91038D45A86B5465E8B7E5CD63187150
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:26
                                                Start time:21:08:02
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:27
                                                Start time:21:08:03
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe
                                                Imagebase:0x7ff6b0a60000
                                                File size:521'536 bytes
                                                MD5 hash:3B0DF35583675DE5A08E8D4C1271CEC0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:28
                                                Start time:21:08:03
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:29
                                                Start time:21:08:03
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:30
                                                Start time:21:08:03
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:31
                                                Start time:21:08:04
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:32
                                                Start time:21:08:04
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:33
                                                Start time:21:08:04
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:34
                                                Start time:21:08:04
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:35
                                                Start time:21:08:05
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:36
                                                Start time:21:08:05
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:37
                                                Start time:21:08:05
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:21:08:06
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:39
                                                Start time:21:08:06
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:40
                                                Start time:21:08:06
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:41
                                                Start time:21:08:06
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:42
                                                Start time:21:08:07
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:43
                                                Start time:21:08:08
                                                Start date:08/01/2025
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                Imagebase:0x7ff626ef0000
                                                File size:57'360 bytes
                                                MD5 hash:F586835082F632DC8D9404D83BC16316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:15.7%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:46.9%
                                                  Total number of Nodes:948
                                                  Total number of Limit Nodes:100
                                                  execution_graph 5653 7ff66add7940 5656 7ff66add7c2c 5653->5656 5657 7ff66add7949 5656->5657 5658 7ff66add7c4f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5656->5658 5658->5657 4588 7ff66ac81350 4589 7ff66ac81f68 4588->4589 4590 7ff66ac813b7 4588->4590 4668 7ff66adde090 4589->4668 4591 7ff66ac81f54 4590->4591 4596 7ff66ac813cf 4590->4596 4652 7ff66adde480 4591->4652 4594 7ff66ac813f3 4600 7ff66ac82053 4594->4600 4613 7ff66ac8141f 4594->4613 4595 7ff66ac81fbe 4676 7ff66addf370 4595->4676 4596->4594 4596->4595 4598 7ff66ac81fed 4697 7ff66ac93010 4598->4697 4681 7ff66addedb0 4600->4681 4601 7ff66ac81f39 4604 7ff66ac8209e 4606 7ff66ac81ee9 4606->4601 4657 7ff66adde5b0 4606->4657 4607 7ff66ac8200b 4608 7ff66addf370 23 API calls 4607->4608 4608->4598 4611 7ff66ac81dda memset 4612 7ff66ac81eba OutputDebugStringW 4611->4612 4611->4613 4612->4613 4613->4606 4613->4607 4613->4612 4614 7ff66ac90350 4613->4614 4641 7ff66ac93070 4613->4641 4645 7ff66adc9810 4613->4645 4616 7ff66ac903d3 4614->4616 4617 7ff66ac90394 4614->4617 4615 7ff66ac903bf 4710 7ff66adb0110 memset 4615->4710 4639 7ff66ac903f2 4616->4639 4716 7ff66added93 4616->4716 4617->4615 4620 7ff66ac9044d 4617->4620 4619 7ff66ac903ce 4623 7ff66ac9049b memcpy 4619->4623 4624 7ff66ac9046e memcpy memcpy 4620->4624 4622 7ff66ac90905 4625 7ff66added93 23 API calls 4622->4625 4623->4622 4628 7ff66ac904cc 4623->4628 4624->4623 4627 7ff66ac90920 4625->4627 4626 7ff66ac90922 4722 7ff66addf450 4626->4722 4627->4613 4628->4622 4628->4626 4630 7ff66ac904fb 4628->4630 4630->4626 4631 7ff66ac9050b memcpy memcpy 4630->4631 4632 7ff66ac90562 memcpy memset 4631->4632 4633 7ff66ac90558 4631->4633 4632->4633 4634 7ff66adc9810 23 API calls 4633->4634 4633->4639 4635 7ff66ac90709 memset 4634->4635 4636 7ff66ac907fa OutputDebugStringW 4635->4636 4638 7ff66ac9074b 4635->4638 4637 7ff66ac90816 4636->4637 4637->4639 4640 7ff66addf370 23 API calls 4637->4640 4638->4636 4639->4613 4640->4627 4642 7ff66ac93321 4641->4642 4644 7ff66ac930a8 4641->4644 4882 7ff66add82d0 4642->4882 4644->4613 4646 7ff66adc983a 4645->4646 4647 7ff66adc9929 4646->4647 4648 7ff66addf370 23 API calls 4646->4648 4649 7ff66adc98f9 4646->4649 4647->4611 4648->4649 4650 7ff66added93 23 API calls 4649->4650 4651 7ff66adc9985 4650->4651 4651->4611 4653 7ff66adde4a9 4652->4653 4654 7ff66adde59d 4653->4654 4655 7ff66adde536 WaitOnAddress 4653->4655 4654->4606 4655->4653 4656 7ff66adde553 GetLastError 4655->4656 4656->4653 4658 7ff66adde5c7 4657->4658 4659 7ff66adde659 4657->4659 4661 7ff66adde5ef 4658->4661 4663 7ff66adde5da WakeByAddressSingle 4658->4663 4660 7ff66addf040 23 API calls 4659->4660 4664 7ff66adde671 4660->4664 4662 7ff66adde5f9 4661->4662 4665 7ff66adde60e 4661->4665 4666 7ff66adde620 WakeByAddressSingle 4661->4666 4662->4665 4667 7ff66adde644 WakeByAddressAll 4662->4667 4665->4601 4666->4665 4666->4667 4667->4665 4669 7ff66adde184 4668->4669 4671 7ff66adde0bd 4668->4671 4670 7ff66adde172 4670->4596 4671->4670 4672 7ff66adde115 WaitOnAddress 4671->4672 4673 7ff66adde13e 4671->4673 4672->4671 4674 7ff66adde132 GetLastError 4672->4674 4673->4670 4675 7ff66adde16c WakeByAddressAll 4673->4675 4674->4671 4675->4670 4677 7ff66addefa0 23 API calls 4676->4677 4678 7ff66addf3f0 4677->4678 4679 7ff66addefa0 23 API calls 4678->4679 4680 7ff66addf43c 4679->4680 4682 7ff66addedc8 4681->4682 4683 7ff66addefa0 23 API calls 4682->4683 4684 7ff66addee30 4683->4684 4685 7ff66addefa0 23 API calls 4684->4685 4686 7ff66addee78 4685->4686 4687 7ff66addefa0 23 API calls 4686->4687 4688 7ff66addeeb8 4687->4688 4689 7ff66addefa0 23 API calls 4688->4689 4690 7ff66addef14 4689->4690 4691 7ff66addf040 23 API calls 4690->4691 4692 7ff66addef3e 4691->4692 4693 7ff66addefa0 23 API calls 4692->4693 4694 7ff66addef9c 4693->4694 4695 7ff66adbe010 23 API calls 4694->4695 4696 7ff66addefc1 4695->4696 4698 7ff66ac93021 4697->4698 4699 7ff66ac9304a 4698->4699 4700 7ff66adde5c7 4698->4700 4701 7ff66adde659 4698->4701 4699->4604 4702 7ff66adde5ef 4700->4702 4705 7ff66adde5da WakeByAddressSingle 4700->4705 4703 7ff66addf040 23 API calls 4701->4703 4704 7ff66adde5f9 4702->4704 4707 7ff66adde60e 4702->4707 4708 7ff66adde620 WakeByAddressSingle 4702->4708 4706 7ff66adde671 4703->4706 4704->4707 4709 7ff66adde644 WakeByAddressAll 4704->4709 4707->4604 4708->4707 4708->4709 4709->4707 4713 7ff66adb0177 4710->4713 4711 7ff66adb26b0 23 API calls 4711->4713 4712 7ff66adb029f memcpy 4712->4619 4713->4711 4713->4712 4715 7ff66adb1c10 23 API calls 4713->4715 4715->4713 4717 7ff66addeda2 4716->4717 4718 7ff66addedaa 4716->4718 4725 7ff66adc9550 4717->4725 4720 7ff66addedb0 23 API calls 4718->4720 4721 7ff66addedaf 4720->4721 4879 7ff66add6fb0 4722->4879 4728 7ff66addefa0 4725->4728 4731 7ff66adbe010 4728->4731 4737 7ff66adbd1a0 4731->4737 4750 7ff66adbe380 4737->4750 4739 7ff66adbd1af 4756 7ff66adbe530 4739->4756 4751 7ff66adbe3a3 4750->4751 4752 7ff66adbe3f2 4751->4752 4759 7ff66adbe5e6 4751->4759 4753 7ff66adbe5e6 23 API calls 4752->4753 4755 7ff66adbe429 4753->4755 4755->4739 4757 7ff66adbe5e6 23 API calls 4756->4757 4758 7ff66adbe55d 4757->4758 4761 7ff66adbe621 4759->4761 4760 7ff66adbe70b 4762 7ff66adbe795 4760->4762 4763 7ff66adbe713 4760->4763 4761->4760 4765 7ff66adbe64f 4761->4765 4778 7ff66adde2a0 4761->4778 4764 7ff66adbab50 23 API calls 4762->4764 4829 7ff66adbab50 4763->4829 4769 7ff66adbe78f 4764->4769 4770 7ff66adbe693 4765->4770 4786 7ff66adbdb24 4765->4786 4772 7ff66adbab50 23 API calls 4769->4772 4804 7ff66adb6310 4770->4804 4774 7ff66adbe83d 4772->4774 4773 7ff66adbe6de 4773->4769 4817 7ff66adbe890 4773->4817 4776 7ff66adb6310 23 API calls 4774->4776 4777 7ff66adbe874 4776->4777 4777->4752 4785 7ff66adde2bc 4778->4785 4779 7ff66adde440 4779->4765 4780 7ff66adde44b 4781 7ff66addefa0 21 API calls 4780->4781 4783 7ff66adde47d 4781->4783 4782 7ff66adde3e2 WaitOnAddress 4784 7ff66adde404 GetLastError 4782->4784 4782->4785 4784->4785 4785->4779 4785->4780 4785->4782 4787 7ff66adbdb4e 4786->4787 4791 7ff66adbdb48 4786->4791 4787->4791 4834 7ff66adbb0a0 4787->4834 4790 7ff66adbdd64 4790->4770 4791->4790 4838 7ff66adba2c0 4791->4838 4792 7ff66adbdc41 4793 7ff66adbdcd9 4792->4793 4794 7ff66adbdc65 4792->4794 4795 7ff66adbde35 2 API calls 4793->4795 4798 7ff66adbdc7c 4794->4798 4845 7ff66adddfc0 4794->4845 4799 7ff66adbdcca 4795->4799 4842 7ff66adbde35 4798->4842 4799->4770 4805 7ff66adb632c 4804->4805 4806 7ff66adb632a 4804->4806 4807 7ff66adde5c7 4805->4807 4808 7ff66adde659 4805->4808 4806->4773 4811 7ff66adde5ef 4807->4811 4812 7ff66adde5da WakeByAddressSingle 4807->4812 4850 7ff66addf040 4808->4850 4810 7ff66adde5f9 4814 7ff66adde60e 4810->4814 4816 7ff66adde644 WakeByAddressAll 4810->4816 4811->4810 4811->4814 4815 7ff66adde620 WakeByAddressSingle 4811->4815 4814->4773 4815->4814 4815->4816 4816->4814 4853 7ff66adc27c0 4817->4853 4819 7ff66adbe8a5 4820 7ff66adbab50 23 API calls 4819->4820 4821 7ff66adbe8fe 4820->4821 4824 7ff66adbe93d 4821->4824 4825 7ff66adbe9b2 4821->4825 4822 7ff66adbe9b0 4822->4760 4823 7ff66adc933e 4823->4760 4824->4822 4876 7ff66addf440 4824->4876 4825->4823 4826 7ff66addf370 23 API calls 4825->4826 4826->4823 4830 7ff66adbab87 4829->4830 4831 7ff66addefa0 23 API calls 4830->4831 4832 7ff66adbab96 4830->4832 4833 7ff66adbac3a 4831->4833 4832->4769 4833->4769 4835 7ff66adbb0bc 4834->4835 4837 7ff66adbb0d2 4834->4837 4836 7ff66adb8fa0 23 API calls 4835->4836 4836->4837 4837->4791 4839 7ff66adba2d7 4838->4839 4840 7ff66adde680 23 API calls 4839->4840 4841 7ff66adba314 4839->4841 4840->4841 4841->4792 4843 7ff66adbc7f0 WaitOnAddress GetLastError 4842->4843 4844 7ff66adbde5e 4843->4844 4849 7ff66adddfd9 4845->4849 4846 7ff66adde000 4846->4798 4847 7ff66adde02c WaitOnAddress 4848 7ff66adde049 GetLastError 4847->4848 4847->4849 4848->4849 4849->4846 4849->4847 4851 7ff66addefa0 23 API calls 4850->4851 4852 7ff66addf07d 4851->4852 4855 7ff66adc27cd 4853->4855 4854 7ff66adc286e 4854->4819 4855->4854 4856 7ff66adbda10 23 API calls 4855->4856 4857 7ff66adc2882 4856->4857 4858 7ff66addf18c 23 API calls 4857->4858 4859 7ff66adc28a3 4858->4859 4860 7ff66addefa0 23 API calls 4859->4860 4861 7ff66adc28ec 4860->4861 4862 7ff66adc29c9 4861->4862 4863 7ff66addf040 23 API calls 4861->4863 4866 7ff66adc2933 4861->4866 4862->4819 4863->4866 4864 7ff66addef20 23 API calls 4865 7ff66adc298f 4864->4865 4865->4862 4867 7ff66addefa0 23 API calls 4865->4867 4866->4862 4866->4864 4866->4865 4868 7ff66adc2ceb 4867->4868 4869 7ff66adcf2e0 23 API calls 4868->4869 4871 7ff66add35b2 4868->4871 4872 7ff66add34bf 4868->4872 4873 7ff66add36f0 4868->4873 4869->4868 4870 7ff66addf510 23 API calls 4870->4873 4874 7ff66addf510 23 API calls 4871->4874 4872->4870 4872->4873 4873->4819 4875 7ff66add3793 4874->4875 4877 7ff66add6f40 23 API calls 4876->4877 4878 7ff66addf44f 4877->4878 4880 7ff66addefa0 23 API calls 4879->4880 4881 7ff66add701e 4880->4881 4883 7ff66add83f6 4882->4883 4885 7ff66add82fc 4882->4885 4891 7ff66adc9470 4883->4891 4885->4883 4886 7ff66add8402 4885->4886 4890 7ff66add834b 4885->4890 4887 7ff66add86b1 4886->4887 4888 7ff66add842c memset 4886->4888 4896 7ff66adc94c0 4887->4896 4888->4890 4890->4644 4892 7ff66adc947e 4891->4892 4893 7ff66adc9486 4891->4893 4892->4890 4894 7ff66addefa0 23 API calls 4893->4894 4895 7ff66adc94b8 4894->4895 4897 7ff66adc94ce 4896->4897 4898 7ff66adc94da 4896->4898 4897->4890 4899 7ff66addedb0 23 API calls 4898->4899 4900 7ff66adc94e5 4899->4900 4901 7ff66ac82db0 4902 7ff66adc9810 23 API calls 4901->4902 4903 7ff66ac82ef3 memset 4902->4903 4904 7ff66ac82fda OutputDebugStringW 4903->4904 4908 7ff66ac82f2e 4903->4908 4905 7ff66ac82ffd 4904->4905 4999 7ff66ac8a440 4905->4999 4907 7ff66ac83028 4909 7ff66adc9810 23 API calls 4907->4909 4908->4904 4910 7ff66ac83086 memset 4909->4910 4911 7ff66ac8317a OutputDebugStringW 4910->4911 4915 7ff66ac830c8 4910->4915 4912 7ff66ac83196 4911->4912 5141 7ff66ac867d0 4912->5141 4914 7ff66ac831ba 4916 7ff66adc9810 23 API calls 4914->4916 4915->4911 4917 7ff66ac8323a memset 4916->4917 4918 7ff66ac8332a OutputDebugStringW 4917->4918 4922 7ff66ac8327c 4917->4922 4919 7ff66ac83346 4918->4919 5150 7ff66ac821c0 4919->5150 4921 7ff66ac83369 4997 7ff66ac83378 4921->4997 5180 7ff66ac90ae0 4921->5180 4922->4918 4924 7ff66ac833ce 4925 7ff66ac833db 4924->4925 4929 7ff66ac834cc 4924->4929 4926 7ff66adc9810 23 API calls 4925->4926 4927 7ff66ac8345e memset 4926->4927 4928 7ff66ac8374a OutputDebugStringW 4927->4928 4932 7ff66ac834a7 4927->4932 4928->4997 4930 7ff66adc9810 23 API calls 4929->4930 4931 7ff66ac8364a memset 4930->4931 4933 7ff66ac8386a OutputDebugStringW 4931->4933 4934 7ff66ac8368c 4931->4934 4932->4928 4940 7ff66ac83886 4933->4940 4934->4933 4935 7ff66ac83a53 5206 7ff66ac87340 4935->5206 4938 7ff66ac83ee8 4942 7ff66adc9810 23 API calls 4938->4942 4939 7ff66ac83a68 4941 7ff66adc9810 23 API calls 4939->4941 4940->4935 4943 7ff66ac83972 4940->4943 4945 7ff66ac83ae9 memset 4941->4945 4946 7ff66ac83f4a memset 4942->4946 4944 7ff66adc9810 23 API calls 4943->4944 4947 7ff66ac839ec memset 4944->4947 4948 7ff66ac8403a OutputDebugStringW 4945->4948 4955 7ff66ac83b2b 4945->4955 4949 7ff66ac8410a OutputDebugStringW 4946->4949 4958 7ff66ac83f86 4946->4958 4950 7ff66ac83c1a OutputDebugStringW 4947->4950 4961 7ff66ac83a2e 4947->4961 4982 7ff66ac83ea6 4948->4982 4951 7ff66ac84126 4949->4951 4953 7ff66ac83c36 4950->4953 4952 7ff66ac94910 26 API calls 4951->4952 4954 7ff66ac84174 GetModuleHandleW 4952->4954 5232 7ff66ac94910 4953->5232 4959 7ff66ac8426c 4954->4959 4960 7ff66ac84191 4954->4960 4955->4948 4956 7ff66adc9810 23 API calls 4962 7ff66ac843f5 memset 4956->4962 4958->4949 5261 7ff66adb3d00 GetLastError 4959->5261 4970 7ff66adc9810 23 API calls 4960->4970 4960->4997 4961->4950 4965 7ff66ac844da OutputDebugStringW 4962->4965 4974 7ff66ac8442e 4962->4974 4963 7ff66ac83c84 GetModuleHandleW 4966 7ff66ac83ca1 4963->4966 4967 7ff66ac83d8f 4963->4967 4968 7ff66ac844f6 4965->4968 4973 7ff66adc9810 23 API calls 4966->4973 4966->4997 5260 7ff66adb3d00 GetLastError 4967->5260 5240 7ff66ac84d10 4968->5240 4971 7ff66ac84212 memset 4970->4971 4975 7ff66ac8433a OutputDebugStringW 4971->4975 4984 7ff66ac8424b 4971->4984 4977 7ff66ac83d2c memset 4973->4977 4974->4965 4975->4982 4976 7ff66ac84521 4979 7ff66ac8452b 4976->4979 4980 7ff66ac84642 4976->4980 4978 7ff66ac83e8a OutputDebugStringW 4977->4978 4986 7ff66ac83d6e 4977->4986 4978->4982 4983 7ff66ac84541 VirtualQuery 4979->4983 4981 7ff66adc9810 23 API calls 4980->4981 4985 7ff66ac846ab memset 4981->4985 4982->4956 4987 7ff66ac84710 4983->4987 4988 7ff66ac84560 4983->4988 4984->4975 4989 7ff66ac8491a OutputDebugStringW 4985->4989 4995 7ff66ac846eb 4985->4995 4986->4978 4991 7ff66adc9810 23 API calls 4987->4991 4988->4987 4990 7ff66ac8456d 4988->4990 4989->4997 4992 7ff66adc9810 23 API calls 4990->4992 4993 7ff66ac84787 memset 4991->4993 4994 7ff66ac845e4 memset 4992->4994 4993->4989 4993->4995 4996 7ff66ac84a4a OutputDebugStringW 4994->4996 4998 7ff66ac8461d 4994->4998 4995->4989 4996->4997 4998->4996 5000 7ff66ac8a47c 4999->5000 5001 7ff66ac8a49e 5000->5001 5008 7ff66ac8a4b3 5000->5008 5002 7ff66adc9810 23 API calls 5001->5002 5003 7ff66ac8a550 5002->5003 5003->4907 5004 7ff66ac8a580 5007 7ff66added93 23 API calls 5004->5007 5005 7ff66ac8a4e5 memcpy 5005->5003 5009 7ff66ac8a595 5007->5009 5008->5004 5008->5005 5010 7ff66adc9810 23 API calls 5009->5010 5011 7ff66ac8a64a memset 5010->5011 5012 7ff66ac8a73a OutputDebugStringW 5011->5012 5015 7ff66ac8a685 5011->5015 5013 7ff66ac8a75d 5012->5013 5014 7ff66adc9810 23 API calls 5013->5014 5016 7ff66ac8a7d4 5014->5016 5015->5012 5017 7ff66adc9810 23 API calls 5016->5017 5018 7ff66ac8a851 memset 5017->5018 5019 7ff66ac8a94a OutputDebugStringW 5018->5019 5022 7ff66ac8a893 5018->5022 5020 7ff66ac8a97b 5019->5020 5262 7ff66ac829a0 5020->5262 5022->5019 5023 7ff66ac8a9ad 5274 7ff66ac852d0 5023->5274 5025 7ff66ac8a9c2 5026 7ff66ac8ab70 5025->5026 5027 7ff66adc9810 23 API calls 5025->5027 5028 7ff66ac829a0 36 API calls 5026->5028 5140 7ff66ac8ab77 5026->5140 5029 7ff66ac8aa48 memset 5027->5029 5030 7ff66ac8aba8 5028->5030 5031 7ff66ac8ab3a OutputDebugStringW 5029->5031 5039 7ff66ac8aa83 5029->5039 5032 7ff66ac852d0 101 API calls 5030->5032 5033 7ff66ac8ab5d 5031->5033 5034 7ff66ac8abbd 5032->5034 5352 7ff66adb3d00 GetLastError 5033->5352 5035 7ff66ac8ad70 5034->5035 5037 7ff66adc9810 23 API calls 5034->5037 5038 7ff66ac829a0 36 API calls 5035->5038 5035->5140 5040 7ff66ac8ac4c memset 5037->5040 5041 7ff66ac8adb3 5038->5041 5039->5031 5042 7ff66ac8ad3a OutputDebugStringW 5040->5042 5049 7ff66ac8ac87 5040->5049 5043 7ff66ac852d0 101 API calls 5041->5043 5045 7ff66ac8ad5d 5042->5045 5044 7ff66ac8adc8 5043->5044 5046 7ff66ac8af70 5044->5046 5048 7ff66adc9810 23 API calls 5044->5048 5353 7ff66adb3d00 GetLastError 5045->5353 5050 7ff66ac829a0 36 API calls 5046->5050 5046->5140 5051 7ff66ac8ae4e memset 5048->5051 5049->5042 5052 7ff66ac8afa8 5050->5052 5053 7ff66ac8af3a OutputDebugStringW 5051->5053 5061 7ff66ac8ae89 5051->5061 5054 7ff66ac852d0 101 API calls 5052->5054 5055 7ff66ac8af5d 5053->5055 5056 7ff66ac8afbd 5054->5056 5354 7ff66adb3d00 GetLastError 5055->5354 5058 7ff66ac8b160 5056->5058 5060 7ff66adc9810 23 API calls 5056->5060 5058->5140 5341 7ff66ac94560 5058->5341 5063 7ff66ac8b043 memset 5060->5063 5061->5053 5062 7ff66ac8b1f1 5069 7ff66ac8b214 5062->5069 5356 7ff66adb72f0 5062->5356 5064 7ff66ac8b12a OutputDebugStringW 5063->5064 5068 7ff66ac8b07e 5063->5068 5066 7ff66ac8b14d 5064->5066 5355 7ff66adb3d00 GetLastError 5066->5355 5068->5064 5070 7ff66adc9810 23 API calls 5069->5070 5071 7ff66ac8b30d memset 5070->5071 5072 7ff66ac8b3fa OutputDebugStringW 5071->5072 5078 7ff66ac8b34f 5071->5078 5073 7ff66ac8b419 5072->5073 5074 7ff66ac8b42a NtOpenFile 5072->5074 5073->5074 5075 7ff66ac8b462 5074->5075 5076 7ff66ac8b5c7 5074->5076 5079 7ff66adc9810 23 API calls 5075->5079 5077 7ff66adc9810 23 API calls 5076->5077 5080 7ff66ac8b633 memset 5077->5080 5078->5072 5081 7ff66ac8b560 memset 5079->5081 5082 7ff66ac8b8ea OutputDebugStringW 5080->5082 5089 7ff66ac8b675 5080->5089 5083 7ff66ac8b72a OutputDebugStringW 5081->5083 5088 7ff66ac8b5a2 5081->5088 5085 7ff66ac8b909 5082->5085 5084 7ff66ac8b746 5083->5084 5086 7ff66adc9810 23 API calls 5084->5086 5087 7ff66ac8b91f NtCreateSection 5085->5087 5090 7ff66ac8b7c2 5086->5090 5091 7ff66ac8b96b 5087->5091 5092 7ff66ac8bacd 5087->5092 5088->5083 5089->5082 5090->5140 5366 7ff66adb4300 5090->5366 5094 7ff66adc9810 23 API calls 5091->5094 5095 7ff66adc9810 23 API calls 5092->5095 5097 7ff66ac8ba66 memset 5094->5097 5098 7ff66ac8bb4b memset 5095->5098 5100 7ff66ac8bc4a OutputDebugStringW 5097->5100 5107 7ff66ac8baa8 5097->5107 5101 7ff66ac8bd5a OutputDebugStringW 5098->5101 5106 7ff66ac8bb8a 5098->5106 5108 7ff66ac8bc66 5100->5108 5102 7ff66ac8bd7c 5101->5102 5103 7ff66ac8bd8d GetCurrentProcess NtMapViewOfSection 5101->5103 5102->5103 5104 7ff66ac8bf92 5103->5104 5105 7ff66ac8be02 5103->5105 5111 7ff66adc9810 23 API calls 5104->5111 5109 7ff66ac8c183 5105->5109 5110 7ff66ac8be0d 5105->5110 5106->5101 5107->5100 5113 7ff66adb4300 25 API calls 5108->5113 5112 7ff66adc9810 23 API calls 5109->5112 5114 7ff66adc9810 23 API calls 5110->5114 5115 7ff66ac8bffe 5111->5115 5117 7ff66ac8c27b 5112->5117 5118 7ff66ac8bc9b 5113->5118 5119 7ff66ac8be6f 5114->5119 5116 7ff66ac91f30 2 API calls 5115->5116 5127 7ff66ac8c01d 5116->5127 5120 7ff66ac91f30 2 API calls 5117->5120 5371 7ff66adb3fc0 GetErrorInfo 5118->5371 5349 7ff66ac91f30 memset 5119->5349 5128 7ff66ac8c29a 5120->5128 5123 7ff66ac8be8e 5124 7ff66ac867d0 42 API calls 5123->5124 5125 7ff66ac8bebf 5124->5125 5126 7ff66adc9810 23 API calls 5125->5126 5129 7ff66ac8bf3c 5126->5129 5130 7ff66ac867d0 42 API calls 5127->5130 5372 7ff66ac94260 5128->5372 5132 7ff66ac91f30 2 API calls 5129->5132 5133 7ff66ac8c062 5130->5133 5135 7ff66ac8bf5b 5132->5135 5136 7ff66adc9810 23 API calls 5133->5136 5134 7ff66ac8c2e4 5134->5134 5137 7ff66ac8bf79 NtClose 5135->5137 5138 7ff66ac8c0fa 5136->5138 5137->5140 5139 7ff66ac91f30 2 API calls 5138->5139 5139->5140 5140->4907 5142 7ff66adc99d0 41 API calls 5141->5142 5143 7ff66ac867f6 5142->5143 5144 7ff66ac8683e memcpy 5143->5144 5145 7ff66ac86956 5143->5145 5149 7ff66ac8685f 5144->5149 5147 7ff66added93 23 API calls 5145->5147 5148 7ff66ac8696b 5147->5148 5148->4914 5149->4914 5151 7ff66ac8220a 5150->5151 5152 7ff66ac82820 5150->5152 5154 7ff66ac8222d 5151->5154 5155 7ff66adde2a0 23 API calls 5151->5155 5153 7ff66adde090 3 API calls 5152->5153 5153->5151 5156 7ff66ac8223a 5154->5156 5157 7ff66ac82888 5154->5157 5155->5154 5158 7ff66ac823fb 5156->5158 5165 7ff66ac824c0 5156->5165 5159 7ff66addf370 23 API calls 5157->5159 5160 7ff66adc9810 23 API calls 5158->5160 5164 7ff66ac828bc 5159->5164 5161 7ff66ac82455 memset 5160->5161 5162 7ff66ac826aa OutputDebugStringW 5161->5162 5172 7ff66ac8249b 5161->5172 5168 7ff66ac826c0 5162->5168 5163 7ff66ac82924 5163->4921 5164->5163 5167 7ff66adde5b0 26 API calls 5164->5167 5166 7ff66adc9810 23 API calls 5165->5166 5169 7ff66ac825b7 memset 5166->5169 5167->5163 5170 7ff66ac8280e 5168->5170 5173 7ff66adde5b0 26 API calls 5168->5173 5171 7ff66ac8276a OutputDebugStringW 5169->5171 5175 7ff66ac825fd 5169->5175 5170->4921 5178 7ff66ac82780 5171->5178 5172->5162 5173->5170 5174 7ff66ac828cb 5177 7ff66added93 23 API calls 5174->5177 5175->5171 5176 7ff66ac827ce memcpy 5176->5168 5177->5164 5178->5174 5178->5176 5183 7ff66ac90b63 5180->5183 5184 7ff66ac90b24 5180->5184 5181 7ff66ac90b4f 5182 7ff66adb0110 25 API calls 5181->5182 5186 7ff66ac90b5e 5182->5186 5187 7ff66added93 23 API calls 5183->5187 5205 7ff66ac90b82 5183->5205 5184->5181 5185 7ff66ac90bc8 5184->5185 5188 7ff66ac90be9 memcpy memcpy 5185->5188 5189 7ff66ac90c16 memcpy 5186->5189 5190 7ff66ac90fed 5187->5190 5188->5189 5189->5190 5195 7ff66ac90c42 5189->5195 5191 7ff66added93 23 API calls 5190->5191 5193 7ff66ac91008 5191->5193 5192 7ff66ac90c66 memcpy memcpy 5196 7ff66ac90cb2 5192->5196 5201 7ff66ac90ca8 5192->5201 5193->4924 5195->5190 5195->5192 5564 7ff66ac95190 5196->5564 5198 7ff66adc9810 23 API calls 5199 7ff66ac90dc2 memset 5198->5199 5200 7ff66ac90eba OutputDebugStringW 5199->5200 5203 7ff66ac90e04 5199->5203 5202 7ff66ac90ed6 5200->5202 5201->5198 5201->5205 5204 7ff66addf370 23 API calls 5202->5204 5202->5205 5203->5200 5204->5193 5205->4924 5207 7ff66ac87b4e 5206->5207 5208 7ff66ac87391 5206->5208 5209 7ff66adde090 3 API calls 5207->5209 5210 7ff66adddfc0 2 API calls 5208->5210 5213 7ff66ac873a7 5208->5213 5209->5213 5210->5207 5211 7ff66ac87baa 5214 7ff66addf370 23 API calls 5211->5214 5212 7ff66ac8759b 5215 7ff66adc9810 23 API calls 5212->5215 5213->5211 5217 7ff66ac873cc 5213->5217 5216 7ff66ac87a2d 5214->5216 5218 7ff66ac875f5 memset 5215->5218 5223 7ff66ac83a5e 5216->5223 5577 7ff66adde080 WakeByAddressSingle 5216->5577 5217->5212 5219 7ff66ac87660 5217->5219 5220 7ff66ac877ea OutputDebugStringW 5218->5220 5226 7ff66ac8763b 5218->5226 5224 7ff66adc9810 23 API calls 5219->5224 5222 7ff66ac87800 5220->5222 5222->5216 5229 7ff66adc9810 23 API calls 5222->5229 5231 7ff66ac879fa OutputDebugStringW 5222->5231 5223->4938 5223->4939 5225 7ff66ac876ec memset 5224->5225 5227 7ff66ac87aca OutputDebugStringW 5225->5227 5228 7ff66ac87739 5225->5228 5226->5220 5227->5216 5228->5227 5230 7ff66ac87921 memset 5229->5230 5230->5222 5230->5231 5231->5222 5235 7ff66ac9493c 5232->5235 5233 7ff66ac94cdc 5234 7ff66added93 23 API calls 5233->5234 5236 7ff66ac94cee 5234->5236 5235->5233 5237 7ff66ac94ad9 5235->5237 5239 7ff66ac94a1a 5235->5239 5236->4963 5238 7ff66add8c00 26 API calls 5237->5238 5237->5239 5238->5237 5239->4963 5241 7ff66ac84d33 5240->5241 5242 7ff66ac84dd1 memset 5240->5242 5243 7ff66ac84e1f 5241->5243 5246 7ff66ac84d5f memset 5241->5246 5244 7ff66ac851cc OutputDebugStringW 5242->5244 5247 7ff66adc9810 23 API calls 5243->5247 5245 7ff66ac851da 5244->5245 5245->4976 5246->5244 5248 7ff66ac84ead memset 5247->5248 5249 7ff66ac84f9a OutputDebugStringW 5248->5249 5252 7ff66ac84ee5 5248->5252 5250 7ff66ac84fbc 5249->5250 5251 7ff66ac85168 memset 5250->5251 5253 7ff66ac8500c strlen 5250->5253 5254 7ff66ac85064 memcmp 5250->5254 5251->5244 5252->5249 5253->5250 5254->5250 5255 7ff66ac85075 5254->5255 5256 7ff66adc9810 23 API calls 5255->5256 5257 7ff66ac8510b memset 5256->5257 5258 7ff66ac8528a OutputDebugStringW 5257->5258 5259 7ff66ac85143 5257->5259 5258->5245 5259->5258 5260->4966 5261->4960 5263 7ff66ac90350 34 API calls 5262->5263 5264 7ff66ac829f5 5263->5264 5265 7ff66ac82ce8 5264->5265 5266 7ff66ac829ff 5264->5266 5267 7ff66addf370 23 API calls 5265->5267 5268 7ff66adc9810 23 API calls 5266->5268 5269 7ff66ac82d29 5267->5269 5270 7ff66ac82af4 memset 5268->5270 5269->5023 5271 7ff66ac82bda OutputDebugStringW 5270->5271 5272 7ff66ac82b33 5270->5272 5273 7ff66ac82bf0 5271->5273 5272->5271 5273->5023 5275 7ff66adc9810 23 API calls 5274->5275 5276 7ff66ac853bb memset 5275->5276 5277 7ff66ac854aa OutputDebugStringW 5276->5277 5280 7ff66ac853f6 5276->5280 5278 7ff66ac854cd 5277->5278 5279 7ff66ac821c0 34 API calls 5278->5279 5281 7ff66ac854ed 5279->5281 5280->5277 5282 7ff66ac90ae0 32 API calls 5281->5282 5288 7ff66ac854fc 5281->5288 5283 7ff66ac85544 5282->5283 5284 7ff66ac85551 5283->5284 5289 7ff66ac8562f 5283->5289 5285 7ff66adc9810 23 API calls 5284->5285 5286 7ff66ac855ca memset 5285->5286 5287 7ff66ac8580a OutputDebugStringW 5286->5287 5290 7ff66ac8560a 5286->5290 5287->5288 5288->5025 5291 7ff66adc9810 23 API calls 5289->5291 5290->5287 5292 7ff66ac85715 memset 5291->5292 5293 7ff66ac8592a OutputDebugStringW 5292->5293 5296 7ff66ac8574e 5292->5296 5294 7ff66ac85946 5293->5294 5295 7ff66adc9810 23 API calls 5294->5295 5297 7ff66ac85a03 5295->5297 5296->5293 5379 7ff66adc99d0 5297->5379 5299 7ff66ac85a27 5300 7ff66adc9810 23 API calls 5299->5300 5301 7ff66ac85a99 memset 5300->5301 5302 7ff66ac85b8a OutputDebugStringW 5301->5302 5305 7ff66ac85ad5 5301->5305 5303 7ff66ac85ba6 5302->5303 5304 7ff66ac867d0 42 API calls 5303->5304 5306 7ff66ac85bca 5304->5306 5305->5302 5307 7ff66adc9810 23 API calls 5306->5307 5308 7ff66ac85c43 memset 5307->5308 5309 7ff66ac85d2a OutputDebugStringW 5308->5309 5313 7ff66ac85c7c 5308->5313 5310 7ff66ac85d46 5309->5310 5311 7ff66ac87340 33 API calls 5310->5311 5312 7ff66ac85d62 5311->5312 5314 7ff66ac85d6c 5312->5314 5315 7ff66ac85e41 memset OutputDebugStringW GetModuleHandleA 5312->5315 5313->5309 5316 7ff66adc9810 23 API calls 5314->5316 5317 7ff66ac85f3a 5315->5317 5322 7ff66ac85efb 5315->5322 5318 7ff66ac85de3 memset 5316->5318 5412 7ff66adb3d00 GetLastError 5317->5412 5320 7ff66ac8600a OutputDebugStringW 5318->5320 5326 7ff66ac85e1c 5318->5326 5320->5322 5321 7ff66ac84d10 33 API calls 5323 7ff66ac86051 5321->5323 5322->5288 5322->5321 5324 7ff66ac8616b 5323->5324 5325 7ff66ac8605b 5323->5325 5327 7ff66adc9810 23 API calls 5324->5327 5328 7ff66ac86071 VirtualQuery 5325->5328 5326->5320 5329 7ff66ac861bf memset 5327->5329 5330 7ff66ac86224 5328->5330 5331 7ff66ac86090 5328->5331 5332 7ff66ac8641a OutputDebugStringW 5329->5332 5337 7ff66ac861ff 5329->5337 5334 7ff66adc9810 23 API calls 5330->5334 5331->5330 5333 7ff66ac8609d 5331->5333 5332->5288 5336 7ff66adc9810 23 API calls 5333->5336 5335 7ff66ac86286 memset 5334->5335 5335->5332 5335->5337 5338 7ff66ac8610d memset 5336->5338 5337->5332 5339 7ff66ac8653a OutputDebugStringW 5338->5339 5340 7ff66ac86146 5338->5340 5339->5288 5340->5339 5344 7ff66ac9458a 5341->5344 5342 7ff66ac94795 5342->5062 5343 7ff66ac948a5 5345 7ff66added93 23 API calls 5343->5345 5344->5342 5344->5343 5347 7ff66ac94613 5344->5347 5346 7ff66ac948bd 5345->5346 5346->5062 5347->5342 5482 7ff66add8c00 5347->5482 5350 7ff66ac9200a OutputDebugStringW 5349->5350 5351 7ff66ac91f6a 5349->5351 5350->5123 5351->5350 5352->5026 5353->5035 5354->5046 5355->5058 5357 7ff66adb7390 5356->5357 5358 7ff66adb730d 5356->5358 5359 7ff66added93 23 API calls 5357->5359 5358->5357 5363 7ff66adb7333 5358->5363 5360 7ff66adb7376 5359->5360 5361 7ff66added93 23 API calls 5360->5361 5365 7ff66adb737c 5360->5365 5362 7ff66adb73aa 5361->5362 5363->5360 5364 7ff66addd9f0 RtlReAllocateHeap 5363->5364 5364->5360 5365->5069 5545 7ff66adb4970 5366->5545 5368 7ff66adb4332 RoOriginateErrorW 5369 7ff66ac8b7e3 5368->5369 5370 7ff66adb3fc0 GetErrorInfo 5369->5370 5370->5140 5371->5140 5373 7ff66ac9427f 5372->5373 5374 7ff66ac9426a 5372->5374 5373->5134 5375 7ff66adb4300 25 API calls 5374->5375 5376 7ff66ac94271 5375->5376 5563 7ff66adb3fc0 GetErrorInfo 5376->5563 5378 7ff66ac94278 5378->5134 5380 7ff66adca539 5379->5380 5382 7ff66adc99ff 5379->5382 5381 7ff66added93 23 API calls 5380->5381 5409 7ff66adc9fad 5381->5409 5382->5380 5388 7ff66adc9a2e 5382->5388 5383 7ff66addf510 23 API calls 5384 7ff66adca537 5383->5384 5384->5299 5386 7ff66adc9c3c 5439 7ff66addf510 5386->5439 5388->5386 5390 7ff66adc9590 23 API calls 5388->5390 5391 7ff66adca271 memcpy 5388->5391 5392 7ff66adca4b4 5388->5392 5393 7ff66adca451 5388->5393 5394 7ff66adca028 memcpy 5388->5394 5398 7ff66adca460 5388->5398 5399 7ff66adca120 memcpy 5388->5399 5400 7ff66adca4cc 5388->5400 5401 7ff66adc9b6f memcpy 5388->5401 5404 7ff66adca47c 5388->5404 5405 7ff66adca1c0 memcpy 5388->5405 5406 7ff66adca4e4 5388->5406 5408 7ff66adca494 5388->5408 5388->5409 5410 7ff66add7100 23 API calls 5388->5410 5411 7ff66add7280 23 API calls 5388->5411 5413 7ff66add7580 5388->5413 5429 7ff66addecf0 5388->5429 5390->5388 5391->5388 5397 7ff66addecf0 23 API calls 5392->5397 5396 7ff66addecf0 23 API calls 5393->5396 5394->5388 5395 7ff66addecf0 23 API calls 5395->5392 5396->5398 5397->5400 5403 7ff66addecf0 23 API calls 5398->5403 5399->5388 5402 7ff66addecf0 23 API calls 5400->5402 5401->5388 5402->5406 5403->5404 5407 7ff66addecf0 23 API calls 5404->5407 5405->5388 5406->5299 5407->5408 5408->5395 5409->5383 5410->5388 5411->5388 5412->5322 5414 7ff66add7592 5413->5414 5415 7ff66add75ae 5413->5415 5414->5388 5415->5414 5441 7ff66addf128 5415->5441 5430 7ff66added01 5429->5430 5431 7ff66added70 5429->5431 5430->5431 5433 7ff66added24 5430->5433 5432 7ff66added93 23 API calls 5431->5432 5434 7ff66added57 5432->5434 5444 7ff66addd9f0 5433->5444 5435 7ff66added93 23 API calls 5434->5435 5438 7ff66added5d 5434->5438 5437 7ff66added92 5435->5437 5438->5388 5448 7ff66add4bd0 5439->5448 5442 7ff66addefa0 23 API calls 5441->5442 5443 7ff66addf18b 5442->5443 5445 7ff66addda0d 5444->5445 5446 7ff66addda26 5444->5446 5445->5446 5447 7ff66addda24 RtlReAllocateHeap 5445->5447 5446->5434 5447->5446 5449 7ff66add4c3b 5448->5449 5450 7ff66add4bf9 5448->5450 5451 7ff66add4ed8 5449->5451 5454 7ff66add4f4c 5449->5454 5456 7ff66add4fc1 5449->5456 5460 7ff66addf510 23 API calls 5449->5460 5461 7ff66add4d7f 5449->5461 5463 7ff66addef20 5449->5463 5450->5449 5453 7ff66addf510 23 API calls 5450->5453 5452 7ff66addefa0 23 API calls 5451->5452 5452->5454 5453->5449 5455 7ff66addefa0 23 API calls 5454->5455 5455->5456 5470 7ff66addf460 5456->5470 5460->5449 5462 7ff66addefa0 23 API calls 5461->5462 5462->5451 5464 7ff66addf040 23 API calls 5463->5464 5465 7ff66addef3e 5464->5465 5466 7ff66addefa0 23 API calls 5465->5466 5467 7ff66addef9c 5466->5467 5468 7ff66adbe010 23 API calls 5467->5468 5469 7ff66addefc1 5468->5469 5479 7ff66add7020 5470->5479 5480 7ff66addefa0 23 API calls 5479->5480 5481 7ff66add708e 5480->5481 5483 7ff66add8cd4 5482->5483 5484 7ff66add8c17 5482->5484 5485 7ff66added93 23 API calls 5483->5485 5484->5483 5489 7ff66add8c6d 5484->5489 5486 7ff66add8cba 5485->5486 5487 7ff66added93 23 API calls 5486->5487 5495 7ff66add8cc1 5486->5495 5488 7ff66add8cf8 5487->5488 5509 7ff66ac9afd0 5488->5509 5489->5486 5505 7ff66add8b90 5489->5505 5492 7ff66add8d3b 5493 7ff66add8d44 5492->5493 5494 7ff66add8f16 5492->5494 5516 7ff66ac9ad10 5493->5516 5497 7ff66addefa0 23 API calls 5494->5497 5495->5347 5499 7ff66add8f67 5497->5499 5498 7ff66add8d6e 5498->5499 5501 7ff66add8da5 5498->5501 5500 7ff66addedb0 23 API calls 5499->5500 5503 7ff66add8f78 5500->5503 5504 7ff66add8eae 5501->5504 5523 7ff66adc1950 5501->5523 5503->5347 5504->5347 5506 7ff66add8ba7 5505->5506 5508 7ff66add8bc0 5505->5508 5507 7ff66add8bbe RtlReAllocateHeap 5506->5507 5506->5508 5507->5508 5508->5486 5510 7ff66ac9b006 5509->5510 5511 7ff66ac9afda 5509->5511 5510->5492 5530 7ff66ac9b240 5511->5530 5513 7ff66ac9afe5 5513->5510 5514 7ff66addedb0 23 API calls 5513->5514 5515 7ff66ac9b028 5514->5515 5515->5492 5517 7ff66ac9ad28 5516->5517 5518 7ff66ac9ad35 5517->5518 5519 7ff66ac9ad92 5517->5519 5520 7ff66addf460 23 API calls 5517->5520 5518->5498 5519->5518 5521 7ff66addf450 23 API calls 5519->5521 5520->5519 5522 7ff66ac9adf4 5521->5522 5524 7ff66adc1a2b 5523->5524 5525 7ff66adc1989 5523->5525 5527 7ff66adbab50 23 API calls 5524->5527 5526 7ff66adc19e7 5525->5526 5535 7ff66adb7220 5525->5535 5526->5504 5529 7ff66adc1a65 5527->5529 5529->5504 5531 7ff66ac9b253 5530->5531 5532 7ff66ac9b2aa 5530->5532 5531->5532 5533 7ff66ac9b278 BCryptGenRandom 5531->5533 5532->5513 5533->5531 5534 7ff66ac9b29c SystemFunction036 5533->5534 5534->5531 5534->5532 5536 7ff66adb72c8 5535->5536 5537 7ff66adb723d 5535->5537 5539 7ff66added93 23 API calls 5536->5539 5537->5536 5541 7ff66adb7264 5537->5541 5538 7ff66adb72ae 5540 7ff66added93 23 API calls 5538->5540 5544 7ff66adb72b4 5538->5544 5539->5538 5542 7ff66adb72e2 5540->5542 5541->5538 5543 7ff66addd9f0 RtlReAllocateHeap 5541->5543 5543->5538 5544->5526 5546 7ff66adb499a 5545->5546 5547 7ff66adb4cc5 5546->5547 5550 7ff66adb4bb5 5546->5550 5551 7ff66adb4a23 5546->5551 5548 7ff66added93 23 API calls 5547->5548 5549 7ff66adb4cdd 5548->5549 5549->5368 5550->5368 5551->5550 5553 7ff66addd7a0 5551->5553 5554 7ff66addd7b2 5553->5554 5555 7ff66addd861 5553->5555 5554->5555 5558 7ff66addd7fa 5554->5558 5556 7ff66added93 23 API calls 5555->5556 5560 7ff66addd847 5556->5560 5557 7ff66added93 23 API calls 5561 7ff66addd885 5557->5561 5559 7ff66add8b90 RtlReAllocateHeap 5558->5559 5558->5560 5559->5560 5560->5557 5562 7ff66addd84e 5560->5562 5561->5551 5562->5551 5563->5378 5566 7ff66ac951c4 5564->5566 5568 7ff66ac951ef 5564->5568 5565 7ff66ac95265 5565->5201 5566->5201 5568->5565 5569 7ff66adb0a60 5568->5569 5571 7ff66adb0ac1 5569->5571 5570 7ff66adb0f21 5570->5568 5571->5570 5572 7ff66adb0f8c 5571->5572 5575 7ff66adb0f0b 5571->5575 5573 7ff66addf460 23 API calls 5572->5573 5574 7ff66adb0f9b 5573->5574 5576 7ff66addf460 23 API calls 5575->5576 5576->5570 5578 7ff66ac81190 5579 7ff66ac8119a 5578->5579 5580 7ff66ac811b4 5579->5580 5581 7ff66adde080 WakeByAddressSingle 5579->5581 5582 7ff66ac812d0 5583 7ff66add3410 5582->5583 5586 7ff66add35b2 5583->5586 5587 7ff66add34bf 5583->5587 5588 7ff66add36f0 5583->5588 5591 7ff66adcf2e0 5583->5591 5585 7ff66addf510 23 API calls 5585->5588 5589 7ff66addf510 23 API calls 5586->5589 5587->5585 5587->5588 5590 7ff66add3793 5589->5590 5592 7ff66adcf2f3 5591->5592 5593 7ff66adcf33a 5592->5593 5596 7ff66adcf314 5592->5596 5597 7ff66add7400 5592->5597 5593->5596 5604 7ff66add5130 5593->5604 5596->5583 5598 7ff66add74ab 5597->5598 5599 7ff66add755d 5597->5599 5602 7ff66add751d 5598->5602 5603 7ff66addf128 23 API calls 5598->5603 5600 7ff66addf128 23 API calls 5599->5600 5601 7ff66add7571 5600->5601 5602->5593 5603->5599 5605 7ff66add5147 5604->5605 5606 7ff66add513f 5604->5606 5605->5606 5609 7ff66add5000 5605->5609 5606->5596 5608 7ff66add51c9 5608->5596 5611 7ff66add5014 5609->5611 5612 7ff66add508a 5609->5612 5610 7ff66add5072 5610->5608 5611->5610 5611->5612 5613 7ff66add510c 5611->5613 5614 7ff66addf460 23 API calls 5611->5614 5612->5610 5616 7ff66addef20 23 API calls 5612->5616 5615 7ff66addf450 23 API calls 5613->5615 5614->5613 5615->5612 5617 7ff66add5127 5616->5617 5618 7ff66add513f 5617->5618 5619 7ff66add5000 23 API calls 5617->5619 5618->5608 5620 7ff66add51c9 5619->5620 5620->5608 5621 7ff66ac81250 5622 7ff66ac81261 5621->5622 5623 7ff66ac8128a 5622->5623 5624 7ff66adde5c7 5622->5624 5625 7ff66adde659 5622->5625 5626 7ff66adde5ef 5624->5626 5628 7ff66adde5da WakeByAddressSingle 5624->5628 5627 7ff66addf040 23 API calls 5625->5627 5630 7ff66adde5f9 5626->5630 5631 7ff66adde620 WakeByAddressSingle 5626->5631 5633 7ff66adde60e 5626->5633 5629 7ff66adde671 5627->5629 5632 7ff66adde644 WakeByAddressAll 5630->5632 5630->5633 5631->5632 5631->5633 5632->5633 5659 7ff66ac81230 5660 7ff66ac8124e 5659->5660 5661 7ff66adde5c7 5660->5661 5662 7ff66adde659 5660->5662 5663 7ff66adde5ef 5661->5663 5666 7ff66adde5da WakeByAddressSingle 5661->5666 5664 7ff66addf040 23 API calls 5662->5664 5665 7ff66adde5f9 5663->5665 5668 7ff66adde60e 5663->5668 5669 7ff66adde620 WakeByAddressSingle 5663->5669 5667 7ff66adde671 5664->5667 5665->5668 5670 7ff66adde644 WakeByAddressAll 5665->5670 5669->5668 5669->5670 5670->5668 5634 7ff66ac81000 5635 7ff66ac810a2 5634->5635 5638 7ff66ac8101c 5634->5638 5636 7ff66addef20 23 API calls 5635->5636 5637 7ff66ac810ae 5636->5637 5640 7ff66ac81158 5637->5640 5643 7ff66ac810cc 5637->5643 5639 7ff66ac8102c 5638->5639 5647 7ff66adbd3c0 ProcessPrng 5638->5647 5641 7ff66addef20 23 API calls 5640->5641 5646 7ff66ac81164 5641->5646 5645 7ff66ac810dc 5643->5645 5648 7ff66adbd3c0 ProcessPrng 5643->5648 5647->5639 5648->5645 5649 7ff66ac82940 5650 7ff66ac82977 5649->5650 5651 7ff66ac82986 5649->5651 5652 7ff66adde5b0 26 API calls 5651->5652 5652->5650 5675 7ff66ac82120 5676 7ff66ac93010 26 API calls 5675->5676 5677 7ff66ac8214b 5676->5677

                                                  Executed Functions

                                                  Function 00007FF66AC8A440 Relevance: 66.3, APIs: 28, Strings: 9, Instructions: 1523nativefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • , xrefs: 00007FF66AC8B93A
                                                  • NtCreateSection failedNtOpenFile failed for , xrefs: 00007FF66AC8BC87
                                                  • NtCreateSectionNtMapViewOfSectionNtOpenFileZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseVirtualAllocExCloseHandleWriteProcessMemoryCreateToolhelp32SnapshotModule32FirstWModule32NextWResumeThreadCreateProcessWNtCloseC:\Users\Harrison\.rustup\toolchains\nightly-x86_6, xrefs: 00007FF66AC8AB91
                                                  • , xrefs: 00007FF66AC8BDC6
                                                  • `, xrefs: 00007FF66AC8B42A
                                                  • KO_S, xrefs: 00007FF66AC8B839
                                                  • NtMapViewOfSection failedSTATUS_IMAGE_NOT_AT_BASE detected. Module mapped at address: , xrefs: 00007FF66AC8C2D2
                                                  • NtOpenFileZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseVirtualAllocExCloseHandleWriteProcessMemoryCreateToolhelp32SnapshotModule32FirstWModule32NextWResumeThreadCreateProcessWNtCloseC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src, xrefs: 00007FF66AC8A996
                                                  • C:\Windows\System32\Resolved full path for module: , xrefs: 00007FF66AC8A461
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$Section$CloseCreateCurrentFileOpenProcessViewmemcpy
                                                  • String ID: $ $C:\Windows\System32\Resolved full path for module: $KO_S$NtCreateSection failedNtOpenFile failed for $NtCreateSectionNtMapViewOfSectionNtOpenFileZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseVirtualAllocExCloseHandleWriteProcessMemoryCreateToolhelp32SnapshotModule32FirstWModule32NextWResumeThreadCreateProcessWNtCloseC:\Users\Harrison\.rustup\toolchains\nightly-x86_6$NtMapViewOfSection failedSTATUS_IMAGE_NOT_AT_BASE detected. Module mapped at address: $NtOpenFileZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseVirtualAllocExCloseHandleWriteProcessMemoryCreateToolhelp32SnapshotModule32FirstWModule32NextWResumeThreadCreateProcessWNtCloseC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src$`
                                                  • API String ID: 3957571157-1956066672
                                                  • Opcode ID: 632cafbb13808bcde5bc3838d786600f38c94a082f2b24fb11fad103cd066671
                                                  • Instruction ID: 5b8cc90d11cfb819814c74a8a6d69513c28508ac3ccd3456b5d52264c159b031
                                                  • Opcode Fuzzy Hash: 632cafbb13808bcde5bc3838d786600f38c94a082f2b24fb11fad103cd066671
                                                  • Instruction Fuzzy Hash: E5F24772A15BC1D9EB718F20D8543E927B4FB49B88F40427ADA4D8FB9ADF799244C340
                                                  Function 00007FF66AC82DB0 Relevance: 46.5, APIs: 30, Instructions: 1475COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memset$DebugOutputString$memcpy
                                                  • String ID:
                                                  • API String ID: 170145970-0
                                                  • Opcode ID: 65b2795f48f991f859272ed7b5cf94ab749d68cb02b629bf0b53603fb45c4063
                                                  • Instruction ID: 399a62cba4c87ba41184a54a803dddfbed3aefde7a48a4d9be7c1f17a853b554
                                                  • Opcode Fuzzy Hash: 65b2795f48f991f859272ed7b5cf94ab749d68cb02b629bf0b53603fb45c4063
                                                  • Instruction Fuzzy Hash: 97F28B32A19BC2D9EB728F60D8547E92774FB45B88F404276DA4D9FB8ADF399244C340
                                                  Function 00007FF66AC852D0 Relevance: 43.0, APIs: 21, Strings: 3, Instructions: 967COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memset$DebugOutputString$HandleModuleQueryVirtual
                                                  • String ID: C:\Windows\System32\Resolved full path for module: $ntdll.dll$ntdll.dllNormalized full path for ntdll.dll:
                                                  • API String ID: 3283594973-2956908514
                                                  • Opcode ID: e4d66f73e0f338523799a702174e62a1f374cbd1162ce48ac2eb0a07181f09c8
                                                  • Instruction ID: 9d217304f710f502e0b9535f0e453256992f3bc36eb3491389f42d235ee31dfc
                                                  • Opcode Fuzzy Hash: e4d66f73e0f338523799a702174e62a1f374cbd1162ce48ac2eb0a07181f09c8
                                                  • Instruction Fuzzy Hash: D8A2AA32A19BC599EB318F30D8547E827B5FB45B88F444276DA4D9FB9AEF789244C300
                                                  Function 00007FF66AC87340 Relevance: 19.8, APIs: 6, Strings: 5, Instructions: 512COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 772 7ff66ac87340-7ff66ac8738b 773 7ff66ac87b53-7ff66ac87b91 call 7ff66adde090 772->773 774 7ff66ac87391-7ff66ac873a1 772->774 781 7ff66ac87b96-7ff66ac87ba4 call 7ff66adddf20 773->781 776 7ff66ac873a7-7ff66ac873b7 774->776 777 7ff66ac87b46-7ff66ac87b4e call 7ff66adddfc0 774->777 780 7ff66ac873bd-7ff66ac873c6 776->780 776->781 777->773 784 7ff66ac873cc-7ff66ac873de 780->784 785 7ff66ac87baa-7ff66ac87bd9 call 7ff66addf370 780->785 781->784 781->785 786 7ff66ac8759b-7ff66ac87635 call 7ff66adc9810 memset 784->786 787 7ff66ac873e4-7ff66ac87529 784->787 796 7ff66ac87bdb-7ff66ac87be9 call 7ff66adde080 785->796 800 7ff66ac8763b-7ff66ac8764d 786->800 801 7ff66ac877ea-7ff66ac877fe OutputDebugStringW 786->801 790 7ff66ac8752d-7ff66ac87545 787->790 793 7ff66ac87547-7ff66ac87562 790->793 794 7ff66ac87580-7ff66ac8758c 790->794 797 7ff66ac87568-7ff66ac87573 793->797 798 7ff66ac87660-7ff66ac87733 call 7ff66adc9810 memset 793->798 794->786 799 7ff66ac8758e-7ff66ac87599 794->799 814 7ff66ac87b28-7ff66ac87b45 796->814 797->793 803 7ff66ac87575 797->803 819 7ff66ac87aca-7ff66ac87ade OutputDebugStringW 798->819 820 7ff66ac87739-7ff66ac8774b 798->820 799->790 806 7ff66ac87653-7ff66ac8765b 800->806 807 7ff66ac8775e-7ff66ac8778e 800->807 804 7ff66ac87811-7ff66ac87832 801->804 805 7ff66ac87800-7ff66ac8780c call 7ff66ac97e80 801->805 803->794 812 7ff66ac87842-7ff66ac87846 804->812 805->804 813 7ff66ac877bc-7ff66ac877cd 806->813 810 7ff66ac87790-7ff66ac877ba 807->810 810->810 810->813 817 7ff66ac87a2d-7ff66ac87a40 812->817 818 7ff66ac8784c-7ff66ac8784f 812->818 816 7ff66ac877d0-7ff66ac877d7 813->816 816->801 823 7ff66ac877d9-7ff66ac877e8 816->823 828 7ff66ac87a46 817->828 829 7ff66ac87b05-7ff66ac87b15 817->829 826 7ff66ac87851-7ff66ac87856 818->826 827 7ff66ac87860-7ff66ac8787a 818->827 824 7ff66ac87af1-7ff66ac87b03 819->824 825 7ff66ac87ae0-7ff66ac87aec call 7ff66ac97e80 819->825 821 7ff66ac87a4b-7ff66ac87a6e 820->821 822 7ff66ac87751-7ff66ac87759 820->822 831 7ff66ac87a70-7ff66ac87a9a 821->831 832 7ff66ac87a9c-7ff66ac87aad 822->832 823->801 823->816 824->829 830 7ff66ac87b1b-7ff66ac87b22 824->830 825->824 835 7ff66ac87889-7ff66ac87959 call 7ff66adc9810 memset 826->835 827->827 836 7ff66ac8787c-7ff66ac87887 827->836 828->830 829->830 834 7ff66ac87bee-7ff66ac87bfb call 7ff66adddf20 829->834 830->796 830->814 831->831 831->832 838 7ff66ac87ab0-7ff66ac87ab7 832->838 834->830 843 7ff66ac87c01-7ff66ac87c06 834->843 844 7ff66ac879fa-7ff66ac87a11 OutputDebugStringW 835->844 845 7ff66ac8795f-7ff66ac87971 835->845 836->835 838->819 841 7ff66ac87ab9-7ff66ac87ac8 838->841 841->819 841->838 843->830 848 7ff66ac87a17-7ff66ac87a28 call 7ff66ac97e80 844->848 849 7ff66ac87840 844->849 846 7ff66ac87973-7ff66ac8797b 845->846 847 7ff66ac87980-7ff66ac8799f 845->847 850 7ff66ac879cc-7ff66ac879dd 846->850 851 7ff66ac879a0-7ff66ac879ca 847->851 848->849 849->812 853 7ff66ac879e0-7ff66ac879e7 850->853 851->850 851->851 853->844 855 7ff66ac879e9-7ff66ac879f8 853->855 855->844 855->853
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdet$uespemos
                                                  • API String ID: 1084755268-2410307170
                                                  • Opcode ID: dd6160fe6fde49bed8aead47722057765de75949b2dc74bfbce206b0c0fbac63
                                                  • Instruction ID: 3499ef104e66e6fce0b4437a83273d561d038b4784fd395fd57c61daedf7642b
                                                  • Opcode Fuzzy Hash: dd6160fe6fde49bed8aead47722057765de75949b2dc74bfbce206b0c0fbac63
                                                  • Instruction Fuzzy Hash: 3B22EF62B15BC299EB21CF64D8947E92771FB05788F408236DE5DABB99EF38D241C340
                                                  Function 00007FF66AC84D10 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 295stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 856 7ff66ac84d10-7ff66ac84d2d 857 7ff66ac84d33-7ff66ac84d48 856->857 858 7ff66ac84dd1-7ff66ac84e1a memset 856->858 859 7ff66ac84e1f 857->859 860 7ff66ac84d4e-7ff66ac84d59 857->860 861 7ff66ac851cc-7ff66ac851d4 OutputDebugStringW 858->861 863 7ff66ac84e24-7ff66ac84edf call 7ff66adc9810 memset 859->863 860->863 864 7ff66ac84d5f-7ff66ac84dcc memset 860->864 862 7ff66ac851da-7ff66ac851f3 861->862 867 7ff66ac84f9a-7ff66ac84fba OutputDebugStringW 863->867 868 7ff66ac84ee5-7ff66ac84ef7 863->868 864->861 871 7ff66ac84fbc-7ff66ac84fc5 call 7ff66ac97e80 867->871 872 7ff66ac84fca-7ff66ac84fd1 867->872 869 7ff66ac84ef9-7ff66ac84f01 868->869 870 7ff66ac84f03-7ff66ac84f26 868->870 873 7ff66ac84f62-7ff66ac84f7e 869->873 874 7ff66ac84f30-7ff66ac84f60 870->874 871->872 876 7ff66ac85168-7ff66ac851c3 memset 872->876 877 7ff66ac84fd7-7ff66ac84ff8 872->877 878 7ff66ac84f80-7ff66ac84f87 873->878 874->873 874->874 876->861 879 7ff66ac8500c-7ff66ac85062 strlen call 7ff66adcf580 877->879 878->867 881 7ff66ac84f89-7ff66ac84f98 878->881 883 7ff66ac85064-7ff66ac85073 memcmp 879->883 884 7ff66ac85000-7ff66ac85006 879->884 881->867 881->878 883->884 885 7ff66ac85075-7ff66ac8513d call 7ff66adc9810 memset 883->885 884->876 884->879 888 7ff66ac8528a-7ff66ac852aa OutputDebugStringW 885->888 889 7ff66ac85143-7ff66ac85155 885->889 890 7ff66ac852ac-7ff66ac852b5 call 7ff66ac97e80 888->890 891 7ff66ac852ba-7ff66ac852c6 888->891 892 7ff66ac8515b-7ff66ac85163 889->892 893 7ff66ac851f4-7ff66ac85217 889->893 890->891 891->862 895 7ff66ac85252-7ff66ac8526e 892->895 896 7ff66ac85220-7ff66ac85250 893->896 897 7ff66ac85270-7ff66ac85277 895->897 896->895 896->896 897->888 898 7ff66ac85279-7ff66ac85288 897->898 898->888 898->897
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$memcmpstrlen
                                                  • String ID: c
                                                  • API String ID: 2294051181-112844655
                                                  • Opcode ID: 5354f0a8e623599f9fe8930cc5d1e678b0568999a0104843e8c258e165f165ca
                                                  • Instruction ID: 4c9f48186bcc368c697143c8352cfc6b64efdc41ce034039aaaccf106e77034f
                                                  • Opcode Fuzzy Hash: 5354f0a8e623599f9fe8930cc5d1e678b0568999a0104843e8c258e165f165ca
                                                  • Instruction Fuzzy Hash: 73E1BD22A1CBC5D5EB218B24E4413EAB7B5FB85784F404275DA8E8BB95EF7CD185CB00
                                                  Function 00007FF66AC821C0 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 438COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 899 7ff66ac821c0-7ff66ac82204 900 7ff66ac8220a-7ff66ac82219 899->900 901 7ff66ac82820-7ff66ac8286d call 7ff66adde090 899->901 902 7ff66ac82873-7ff66ac82882 call 7ff66adde2a0 900->902 903 7ff66ac8221f-7ff66ac82227 900->903 901->902 901->903 908 7ff66ac8223a-7ff66ac82246 902->908 909 7ff66ac82888-7ff66ac828bc call 7ff66addf370 902->909 903->902 905 7ff66ac8222d-7ff66ac82234 903->905 905->908 905->909 911 7ff66ac8224c-7ff66ac82390 908->911 912 7ff66ac823fb-7ff66ac82495 call 7ff66adc9810 memset 908->912 919 7ff66ac828e0-7ff66ac82922 909->919 914 7ff66ac82394-7ff66ac823ac 911->914 921 7ff66ac8249b-7ff66ac824ad 912->921 922 7ff66ac826aa-7ff66ac826be OutputDebugStringW 912->922 917 7ff66ac823e0-7ff66ac823ec 914->917 918 7ff66ac823ae-7ff66ac823c9 914->918 917->912 927 7ff66ac823ee-7ff66ac823f9 917->927 925 7ff66ac824c0-7ff66ac825f7 call 7ff66adc9810 memset 918->925 926 7ff66ac823cf-7ff66ac823da 918->926 923 7ff66ac82924-7ff66ac82932 919->923 924 7ff66ac82933-7ff66ac82938 call 7ff66adde5b0 919->924 928 7ff66ac824b3-7ff66ac824bb 921->928 929 7ff66ac82622-7ff66ac82645 921->929 933 7ff66ac826d1-7ff66ac826de 922->933 934 7ff66ac826c0-7ff66ac826cc call 7ff66ac97e80 922->934 924->923 943 7ff66ac825fd-7ff66ac8260f 925->943 944 7ff66ac8276a-7ff66ac8277e OutputDebugStringW 925->944 926->918 932 7ff66ac823dc 926->932 927->914 936 7ff66ac8267c-7ff66ac8268d 928->936 939 7ff66ac82650-7ff66ac8267a 929->939 932->917 935 7ff66ac827f2-7ff66ac82808 933->935 934->933 941 7ff66ac828be-7ff66ac828c6 call 7ff66adde5b0 935->941 942 7ff66ac8280e-7ff66ac8281f 935->942 945 7ff66ac82690-7ff66ac82697 936->945 939->936 939->939 941->942 946 7ff66ac82615-7ff66ac8261d 943->946 947 7ff66ac826e3-7ff66ac82706 943->947 948 7ff66ac82791-7ff66ac8279f 944->948 949 7ff66ac82780-7ff66ac8278c call 7ff66ac97e80 944->949 945->922 950 7ff66ac82699-7ff66ac826a8 945->950 953 7ff66ac8273c-7ff66ac8274d 946->953 952 7ff66ac82710-7ff66ac8273a 947->952 955 7ff66ac828cb 948->955 956 7ff66ac827a5-7ff66ac827a9 948->956 949->948 950->922 950->945 952->952 952->953 958 7ff66ac82750-7ff66ac82757 953->958 961 7ff66ac828ce-7ff66ac828db call 7ff66added93 955->961 959 7ff66ac827ab-7ff66ac827c8 call 7ff66ac97e70 956->959 960 7ff66ac827d3 956->960 958->944 963 7ff66ac82759-7ff66ac82768 958->963 959->961 967 7ff66ac827ce-7ff66ac827d1 959->967 965 7ff66ac827d9-7ff66ac827ee memcpy 960->965 961->919 963->944 963->958 965->935 967->965
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$memcpy
                                                  • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdet$uespemos
                                                  • API String ID: 293864031-2410307170
                                                  • Opcode ID: 247d43cd1d1b8dc6b474da57c97a40d1ccb39a3442b4d94a148f13f6577b846c
                                                  • Instruction ID: ae4abff345c4dd577a0b5b7317d89ba039b84ddc725877980c54a16ef4a4bcf9
                                                  • Opcode Fuzzy Hash: 247d43cd1d1b8dc6b474da57c97a40d1ccb39a3442b4d94a148f13f6577b846c
                                                  • Instruction Fuzzy Hash: 6B02F372A15B8199EB20CF60D8587ED37B1FB05798F408276DE6D9BB99EF389241C340
                                                  Function 00007FF66AC81350 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 570COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1035 7ff66ac81350-7ff66ac813b1 1036 7ff66ac81f68-7ff66ac81fa6 call 7ff66adde090 1035->1036 1037 7ff66ac813b7-7ff66ac813c9 1035->1037 1042 7ff66ac81fab-7ff66ac81fb8 call 7ff66adddf20 1036->1042 1038 7ff66ac81f54-7ff66ac81f5c call 7ff66adde480 1037->1038 1039 7ff66ac813cf-7ff66ac813df 1037->1039 1053 7ff66ac81f61-7ff66ac81f66 call 7ff66adde5b0 1038->1053 1039->1042 1043 7ff66ac813e5-7ff66ac813ed 1039->1043 1046 7ff66ac813f3-7ff66ac81419 call 7ff66ac97e70 1042->1046 1047 7ff66ac81fbe-7ff66ac81fed call 7ff66addf370 1042->1047 1043->1046 1043->1047 1057 7ff66ac82053-7ff66ac8205d call 7ff66addedb0 1046->1057 1058 7ff66ac8141f-7ff66ac81be4 1046->1058 1055 7ff66ac82062-7ff66ac820b3 call 7ff66ac93010 1047->1055 1063 7ff66ac81f39-7ff66ac81f53 1053->1063 1057->1055 1061 7ff66ac81bfb-7ff66ac81c02 1058->1061 1064 7ff66ac81ee9-7ff66ac81f0a call 7ff66ac97e80 1061->1064 1065 7ff66ac81c08-7ff66ac81c56 call 7ff66ac90350 1061->1065 1071 7ff66ac81f0c-7ff66ac81f1c 1064->1071 1072 7ff66ac81f22-7ff66ac81f37 1064->1072 1073 7ff66ac81c5c-7ff66ac81c6a 1065->1073 1074 7ff66ac8200b-7ff66ac82051 call 7ff66addf370 1065->1074 1071->1072 1075 7ff66ac81fef-7ff66ac81ffc call 7ff66adddf20 1071->1075 1072->1053 1072->1063 1076 7ff66ac81d24-7ff66ac81d56 call 7ff66ac93070 1073->1076 1077 7ff66ac81c70-7ff66ac81c77 1073->1077 1074->1055 1075->1072 1088 7ff66ac82002-7ff66ac82006 1075->1088 1090 7ff66ac81d6c-7ff66ac81e12 call 7ff66adc9810 memset 1076->1090 1091 7ff66ac81d58 1076->1091 1079 7ff66ac81c7d-7ff66ac81c8a 1077->1079 1080 7ff66ac81cf9-7ff66ac81d00 1077->1080 1084 7ff66ac81c90-7ff66ac81cf7 1079->1084 1080->1076 1086 7ff66ac81d02-7ff66ac81d05 1080->1086 1084->1080 1084->1084 1089 7ff66ac81d10-7ff66ac81d22 1086->1089 1088->1072 1089->1076 1089->1089 1096 7ff66ac81eba-7ff66ac81ecd OutputDebugStringW 1090->1096 1097 7ff66ac81e18-7ff66ac81e2a 1090->1097 1091->1090 1093 7ff66ac81d5a-7ff66ac81d67 call 7ff66ac97e80 1091->1093 1093->1090 1100 7ff66ac81ed3-7ff66ac81ee4 call 7ff66ac97e80 1096->1100 1101 7ff66ac81bf0-7ff66ac81bf4 1096->1101 1098 7ff66ac81e2c-7ff66ac81e34 1097->1098 1099 7ff66ac81e40-7ff66ac81e5f 1097->1099 1102 7ff66ac81e8c-7ff66ac81e9d 1098->1102 1103 7ff66ac81e60-7ff66ac81e8a 1099->1103 1100->1101 1101->1061 1105 7ff66ac81ea0-7ff66ac81ea7 1102->1105 1103->1102 1103->1103 1105->1096 1107 7ff66ac81ea9-7ff66ac81eb8 1105->1107 1107->1096 1107->1105
                                                  APIs
                                                  Strings
                                                  • NtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformationThreadGetProcessIdOfThreadWriteProcessMemoryReadProcessMemoryOpenProcessVirtualProtectExCloseHandleVirtualAllocVirtualProtectOpenThreadCreateToolhelp32SnapshotThread3, xrefs: 00007FF66AC815CC
                                                  • NtProtectVirtualMemoryNtAllocateVirtualMemoryNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileLdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThread, xrefs: 00007FF66AC81434
                                                  • FindFirstFileWFindNextFileWNtQueryDirectoryFileRegQueryValueExWNtEnumerateKeyGetAsyncKeyStateSetWindowsHookExWLogonUserWCredEnumerateWCreateProcessWNtQueryInformationProcessVirtualQueryExGetProcessIdNtOpenProcessNtWriteVirtualMemoryNtReadVirtualMemoryLoadLibra, xrefs: 00007FF66AC81962
                                                  • called `Result::unwrap()` on an `Err` value, xrefs: 00007FF66AC81FD1
                                                  • Thread32NextVirtualFreeWaitForSingleObjectTerminateThreadSuspendThreadResumeThreadIsWow64ProcessModule32FirstWModule32NextWGetCurrentProcessIdProcess32FirstWProcess32NextWZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseCreateRemoteThreadNtQuerySystemInformationEnumPro, xrefs: 00007FF66AC81787
                                                  • RtlCaptureStackBackTraceLoadLibraryAGetProcAddressLdrGetDllHandleByMappingLdrRegisterDllNotificationVirtualAllocExVirtualFreeExNtCreateSectionFailed to encrypt function name, xrefs: 00007FF66AC81B0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset$DebugOutputString
                                                  • String ID: FindFirstFileWFindNextFileWNtQueryDirectoryFileRegQueryValueExWNtEnumerateKeyGetAsyncKeyStateSetWindowsHookExWLogonUserWCredEnumerateWCreateProcessWNtQueryInformationProcessVirtualQueryExGetProcessIdNtOpenProcessNtWriteVirtualMemoryNtReadVirtualMemoryLoadLibra$NtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformationThreadGetProcessIdOfThreadWriteProcessMemoryReadProcessMemoryOpenProcessVirtualProtectExCloseHandleVirtualAllocVirtualProtectOpenThreadCreateToolhelp32SnapshotThread3$NtProtectVirtualMemoryNtAllocateVirtualMemoryNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileLdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThread$RtlCaptureStackBackTraceLoadLibraryAGetProcAddressLdrGetDllHandleByMappingLdrRegisterDllNotificationVirtualAllocExVirtualFreeExNtCreateSectionFailed to encrypt function name$Thread32NextVirtualFreeWaitForSingleObjectTerminateThreadSuspendThreadResumeThreadIsWow64ProcessModule32FirstWModule32NextWGetCurrentProcessIdProcess32FirstWProcess32NextWZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseCreateRemoteThreadNtQuerySystemInformationEnumPro$called `Result::unwrap()` on an `Err` value
                                                  • API String ID: 4266836622-765071994
                                                  • Opcode ID: d56f5dc9d4e9322075ed67dfe69e45554e22838220a3fb6f3e95be7b7ebe1c47
                                                  • Instruction ID: 7ff04b820ac4973f5f3634c35bcdeac4ebcb5bf0fdbfc498972fd9e9e6b194a2
                                                  • Opcode Fuzzy Hash: d56f5dc9d4e9322075ed67dfe69e45554e22838220a3fb6f3e95be7b7ebe1c47
                                                  • Instruction Fuzzy Hash: A272E936645BD1DAE791CB14E8843E973F8FB08748F904279CA9C8B795EF789264C342
                                                  Function 00007FF66ADD82D0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 294COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1108 7ff66add82d0-7ff66add82f6 1109 7ff66add82fc-7ff66add8323 1108->1109 1110 7ff66add83f6-7ff66add83fd call 7ff66adc9470 1108->1110 1112 7ff66add8325-7ff66add8333 1109->1112 1113 7ff66add834b-7ff66add8378 call 7ff66ac92110 1109->1113 1118 7ff66add871f-7ff66add872f 1110->1118 1115 7ff66add8335-7ff66add8346 1112->1115 1116 7ff66add837d-7ff66add8384 1112->1116 1113->1118 1119 7ff66add83d4-7ff66add83e5 1115->1119 1116->1110 1121 7ff66add8386-7ff66add83cc 1116->1121 1119->1110 1122 7ff66add83e7-7ff66add83f4 1119->1122 1121->1110 1123 7ff66add83ce-7ff66add83d1 1121->1123 1122->1110 1124 7ff66add8402-7ff66add841e call 7ff66ac97e70 1122->1124 1123->1119 1126 7ff66add8423-7ff66add8426 1124->1126 1127 7ff66add86b1-7ff66add86c0 call 7ff66adc94c0 1126->1127 1128 7ff66add842c-7ff66add8469 memset 1126->1128 1127->1118 1130 7ff66add86c2-7ff66add86c5 1128->1130 1131 7ff66add846f-7ff66add849b 1128->1131 1133 7ff66add86c9-7ff66add86f2 1130->1133 1134 7ff66add84a0-7ff66add84a4 1131->1134 1133->1118 1135 7ff66add86f4-7ff66add8702 1133->1135 1136 7ff66add84ce-7ff66add8612 1134->1136 1137 7ff66add84a6 1134->1137 1135->1118 1138 7ff66add8704-7ff66add871c call 7ff66ac97e80 1135->1138 1140 7ff66add8614-7ff66add8619 1136->1140 1141 7ff66add8637-7ff66add8645 1136->1141 1139 7ff66add84b0-7ff66add84c9 1137->1139 1138->1118 1139->1139 1145 7ff66add84cb 1139->1145 1146 7ff66add8620-7ff66add8635 1140->1146 1142 7ff66add8697-7ff66add86a3 1141->1142 1143 7ff66add8647-7ff66add868f 1141->1143 1142->1143 1143->1134 1147 7ff66add8695-7ff66add86af 1143->1147 1145->1136 1146->1141 1146->1146 1147->1133
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: arenegyl$modnarod$setybdet$uespemos
                                                  • API String ID: 2221118986-66988881
                                                  • Opcode ID: 0bde976117b258d2aefa4a4846460965827dde8773a0e13fe53c06b2022d417d
                                                  • Instruction ID: 69a2cd5c542b125fc2fcba037ae3f37949b9b67815661222196e7a980783e299
                                                  • Opcode Fuzzy Hash: 0bde976117b258d2aefa4a4846460965827dde8773a0e13fe53c06b2022d417d
                                                  • Instruction Fuzzy Hash: DBA15962F1979586EE51AF19A8013AE6661FB44BE4F486331DEAC9B7C0EF3CE141D300
                                                  Function 00007FF66AC93070 Relevance: 5.2, Strings: 4, Instructions: 197COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1185 7ff66ac93070-7ff66ac930a2 1186 7ff66ac93321-7ff66ac93330 call 7ff66add82d0 1185->1186 1187 7ff66ac930a8-7ff66ac931de 1185->1187 1190 7ff66ac93335 1186->1190 1189 7ff66ac931e0-7ff66ac931f9 1187->1189 1191 7ff66ac93230-7ff66ac93239 1189->1191 1192 7ff66ac931fb-7ff66ac93214 1189->1192 1200 7ff66ac9333d-7ff66ac93350 1190->1200 1193 7ff66ac93253-7ff66ac9325f 1191->1193 1194 7ff66ac9323b-7ff66ac93250 1191->1194 1195 7ff66ac93271-7ff66ac93295 1192->1195 1196 7ff66ac93216-7ff66ac93221 1192->1196 1197 7ff66ac93261-7ff66ac9326c 1193->1197 1198 7ff66ac93297-7ff66ac9329f 1193->1198 1194->1193 1199 7ff66ac9330f-7ff66ac93320 1195->1199 1196->1192 1201 7ff66ac93223 1196->1201 1197->1189 1198->1200 1202 7ff66ac932a5-7ff66ac9330c 1198->1202 1200->1202 1201->1191 1202->1199
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: arenegyl$modnarod$setybdep$uespemos
                                                  • API String ID: 0-169184043
                                                  • Opcode ID: 41e41b3e5bf85884944af84c50470beff421076fe93f83052b09c5bd714c4b6a
                                                  • Instruction ID: c88e7f731e163706e67b838294ce39f2df724c9337c0288943a1bbe38327eccd
                                                  • Opcode Fuzzy Hash: 41e41b3e5bf85884944af84c50470beff421076fe93f83052b09c5bd714c4b6a
                                                  • Instruction Fuzzy Hash: 646148A2F14B9542FB118FB9A411BF96B70B716B44F40A23ADF5E67742EF3892D18200
                                                  Function 00007FF66AC9B240 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1212 7ff66ac9b240-7ff66ac9b251 1213 7ff66ac9b253-7ff66ac9b26d 1212->1213 1214 7ff66ac9b2b2 1212->1214 1215 7ff66ac9b278-7ff66ac9b29a BCryptGenRandom 1213->1215 1216 7ff66ac9b2b4-7ff66ac9b2c4 1214->1216 1217 7ff66ac9b270-7ff66ac9b276 1215->1217 1218 7ff66ac9b29c-7ff66ac9b2a8 SystemFunction036 1215->1218 1217->1214 1217->1215 1218->1217 1219 7ff66ac9b2aa-7ff66ac9b2b0 1218->1219 1219->1216
                                                  APIs
                                                  • BCryptGenRandom.BCRYPT(?,00000000,?,00007FF66AC9AFE5,?,?,?,00007FF66ADD8D3B), ref: 00007FF66AC9B292
                                                  • SystemFunction036.ADVAPI32(?,?,?,00007FF66ADD8D3B), ref: 00007FF66AC9B2A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: CryptFunction036RandomSystem
                                                  • String ID:
                                                  • API String ID: 1232939966-0
                                                  • Opcode ID: 7e5db19c811421e7a1f6f9ad99314db73b2ca63ffc2781fa5743b06b543232d8
                                                  • Instruction ID: 87478a30e67ed27456ec98f0393c7860e6a2d7f39c4e312274d20c9c43a50f1d
                                                  • Opcode Fuzzy Hash: 7e5db19c811421e7a1f6f9ad99314db73b2ca63ffc2781fa5743b06b543232d8
                                                  • Instruction Fuzzy Hash: E2F0F412F09956E0FD615AA76E444389570AF15BF4D2843B5EC3CCBBD59C2CA8869200
                                                  Function 00007FF66AC90350 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 340COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 968 7ff66ac90350-7ff66ac90392 969 7ff66ac903d3-7ff66ac903ec call 7ff66ac97e70 968->969 970 7ff66ac90394-7ff66ac903af 968->970 978 7ff66ac908ef-7ff66ac90900 call 7ff66added93 969->978 979 7ff66ac903f2-7ff66ac90435 969->979 972 7ff66ac903b5-7ff66ac903bd 970->972 973 7ff66ac9044d-7ff66ac90496 call 7ff66adb3560 call 7ff66ac90040 memcpy * 2 970->973 976 7ff66ac903bf-7ff66ac903ce call 7ff66adb0110 972->976 977 7ff66ac9043a-7ff66ac90447 call 7ff66addd770 972->977 989 7ff66ac9049b-7ff66ac904c6 memcpy 973->989 976->989 977->973 977->976 988 7ff66ac90905 978->988 984 7ff66ac908d8-7ff66ac908ee 979->984 991 7ff66ac90907-7ff66ac90920 call 7ff66added93 988->991 989->988 992 7ff66ac904cc-7ff66ac904d3 989->992 1000 7ff66ac90979-7ff66ac909ab 991->1000 994 7ff66ac90922 992->994 995 7ff66ac904d9-7ff66ac904ed call 7ff66ac97ea0 992->995 998 7ff66ac90928-7ff66ac9094c call 7ff66addf450 994->998 999 7ff66ac904f2-7ff66ac904f5 995->999 998->1000 999->991 1002 7ff66ac904fb-7ff66ac90505 999->1002 1004 7ff66ac909c6-7ff66ac909df 1000->1004 1005 7ff66ac909ad-7ff66ac909c1 call 7ff66ac97e80 1000->1005 1002->998 1006 7ff66ac9050b-7ff66ac90556 memcpy * 2 1002->1006 1005->1004 1008 7ff66ac90562-7ff66ac9065b memcpy memset call 7ff66ac95330 call 7ff66ac95290 1006->1008 1009 7ff66ac90558-7ff66ac9055d 1006->1009 1010 7ff66ac9068f-7ff66ac90745 call 7ff66adc9810 memset 1008->1010 1021 7ff66ac9065d-7ff66ac9068a 1008->1021 1009->1010 1017 7ff66ac907fa-7ff66ac90814 OutputDebugStringW 1010->1017 1018 7ff66ac9074b-7ff66ac9075d 1010->1018 1019 7ff66ac90816-7ff66ac90822 call 7ff66ac97e80 1017->1019 1020 7ff66ac90827-7ff66ac9089a call 7ff66adb3af0 1017->1020 1022 7ff66ac9075f-7ff66ac90767 1018->1022 1023 7ff66ac90769-7ff66ac9078c 1018->1023 1019->1020 1031 7ff66ac9094e-7ff66ac90974 call 7ff66addf370 1020->1031 1032 7ff66ac908a0-7ff66ac908d3 call 7ff66ac97e80 1020->1032 1021->984 1024 7ff66ac907c2-7ff66ac907d3 1022->1024 1025 7ff66ac90790-7ff66ac907c0 1023->1025 1028 7ff66ac907e0-7ff66ac907e7 1024->1028 1025->1024 1025->1025 1028->1017 1030 7ff66ac907e9-7ff66ac907f8 1028->1030 1030->1017 1030->1028 1031->1000 1032->984
                                                  APIs
                                                  Strings
                                                  • a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs, xrefs: 00007FF66AC9095A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset$DebugOutputString
                                                  • String ID: a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs
                                                  • API String ID: 4266836622-2517649730
                                                  • Opcode ID: da5e0cf2921335439d506e3a95d01a73c6e5849e06382b15a47568e9e3eeac9d
                                                  • Instruction ID: 82d563d8a294aa7e7ff00c7d4d1e81611f35bf4784c2f48e95536eaba02caf5c
                                                  • Opcode Fuzzy Hash: da5e0cf2921335439d506e3a95d01a73c6e5849e06382b15a47568e9e3eeac9d
                                                  • Instruction Fuzzy Hash: E1F17A22A09BC2C9EB719F25D8403E96374FB45798F404275DA9D8FB8ADF79A384C340
                                                  Function 00007FF66AC829A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1150 7ff66ac829a0-7ff66ac829f9 call 7ff66ac90350 1153 7ff66ac82ce8-7ff66ac82d4e call 7ff66addf370 1150->1153 1154 7ff66ac829ff-7ff66ac82b2d call 7ff66adc9810 memset 1150->1154 1159 7ff66ac82d62-7ff66ac82d6b 1153->1159 1160 7ff66ac82d50-7ff66ac82d5d call 7ff66ac97e80 1153->1160 1161 7ff66ac82bda-7ff66ac82bee OutputDebugStringW 1154->1161 1162 7ff66ac82b33-7ff66ac82b45 1154->1162 1160->1159 1163 7ff66ac82c01-7ff66ac82c12 1161->1163 1164 7ff66ac82bf0-7ff66ac82bfc call 7ff66ac97e80 1161->1164 1166 7ff66ac82b47-7ff66ac82b4f 1162->1166 1167 7ff66ac82b51-7ff66ac82b74 1162->1167 1169 7ff66ac82c27-7ff66ac82c29 1163->1169 1170 7ff66ac82c14-7ff66ac82c1e 1163->1170 1164->1163 1171 7ff66ac82bac-7ff66ac82bbd 1166->1171 1172 7ff66ac82b80-7ff66ac82baa 1167->1172 1175 7ff66ac82cc3-7ff66ac82ccd 1169->1175 1173 7ff66ac82c20-7ff66ac82c25 1170->1173 1174 7ff66ac82c2e-7ff66ac82c37 1170->1174 1176 7ff66ac82bc0-7ff66ac82bc7 1171->1176 1172->1171 1172->1172 1177 7ff66ac82ca1-7ff66ac82ca4 1173->1177 1178 7ff66ac82c40-7ff66ac82c9f 1174->1178 1179 7ff66ac82cda-7ff66ac82ce7 1175->1179 1180 7ff66ac82ccf-7ff66ac82cd5 call 7ff66ac97e80 1175->1180 1176->1161 1181 7ff66ac82bc9-7ff66ac82bd8 1176->1181 1177->1175 1182 7ff66ac82ca6-7ff66ac82ca9 1177->1182 1178->1177 1178->1178 1180->1179 1181->1161 1181->1176 1184 7ff66ac82cb0-7ff66ac82cc1 1182->1184 1184->1175 1184->1184
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset$DebugOutputString
                                                  • String ID: Failed to encrypt function name
                                                  • API String ID: 4266836622-2980051713
                                                  • Opcode ID: 836802b7b3522e3e73946b9affb370a67ead414cd622edc0494827816c140233
                                                  • Instruction ID: cf298596d2872adba131d86adb2ca528e4e52494bf52ecd56813e5f451c4b530
                                                  • Opcode Fuzzy Hash: 836802b7b3522e3e73946b9affb370a67ead414cd622edc0494827816c140233
                                                  • Instruction Fuzzy Hash: 96A1C072A04BD1C8EB308F64E8587E86B70FB45798F4442B9CE9C5BB96DF388690C340
                                                  Function 00007FF66AC91F30 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1203 7ff66ac91f30-7ff66ac91f64 memset 1204 7ff66ac9200a-7ff66ac92026 OutputDebugStringW 1203->1204 1205 7ff66ac91f6a-7ff66ac91f7c 1203->1205 1206 7ff66ac91f7e-7ff66ac91f86 1205->1206 1207 7ff66ac91f88-7ff66ac91fab 1205->1207 1208 7ff66ac91fdc-7ff66ac91fea 1206->1208 1209 7ff66ac91fb0-7ff66ac91fda 1207->1209 1210 7ff66ac91ff0-7ff66ac91ff7 1208->1210 1209->1208 1209->1209 1210->1204 1211 7ff66ac91ff9-7ff66ac92008 1210->1211 1211->1204 1211->1210
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID:
                                                  • API String ID: 1084755268-0
                                                  • Opcode ID: dbe8b314e803bdf58eb38950bb7c846acb6e651d970314a15dd942edcc0ba3a8
                                                  • Instruction ID: b8ba2aab982e073fc81c7b0707d9999c547988c10acc7945a65a2723dd9b50ba
                                                  • Opcode Fuzzy Hash: dbe8b314e803bdf58eb38950bb7c846acb6e651d970314a15dd942edcc0ba3a8
                                                  • Instruction Fuzzy Hash: 76214923F28A9581EF608764E2157B99231DB96BC8F509375DA4E97F86EF2CC281C700

                                                  Non-executed Functions

                                                  Function 00007FF66ADC0C70 Relevance: 18.3, APIs: 7, Strings: 3, Instructions: 760COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FullNamePath
                                                  • String ID: \\?\$\\?\UNC\$internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs
                                                  • API String ID: 2482867836-264738257
                                                  • Opcode ID: 7b5e57fa1381e504366f462f6d97d3e4ce08dabbe9a221981c61dd7eb1d0a69c
                                                  • Instruction ID: 38016a6f828825ad9895de59852f136160dec8482593ca581b7e859b3d8cddf8
                                                  • Opcode Fuzzy Hash: 7b5e57fa1381e504366f462f6d97d3e4ce08dabbe9a221981c61dd7eb1d0a69c
                                                  • Instruction Fuzzy Hash: C462F8A2E0C6E2C5EB718B65D4443B962B9FB01BA4F948371DA5E8F6C0CF7CD5868310
                                                  Function 00007FF66ADD7D54 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: 8bbd5aa1730cd332274f21e033dfa46fe5b836ac888b46510952249dd751b1d7
                                                  • Instruction ID: 6093f8d5cb568ea87fb58ecc8e2caf2c8e215eb5b6f7da2d2f6e13c617322f98
                                                  • Opcode Fuzzy Hash: 8bbd5aa1730cd332274f21e033dfa46fe5b836ac888b46510952249dd751b1d7
                                                  • Instruction Fuzzy Hash: 89311276609B81D6EB609FA0E8807ED7374FB84748F44417ADA4D8BB99DF38D648CB10
                                                  Function 00007FF66ADC99D0 Relevance: 7.1, APIs: 5, Instructions: 807COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID:
                                                  • API String ID: 3510742995-0
                                                  • Opcode ID: 32e657cc194acbd918f622598c11f78ccfe3def6bcee8ec9206e45420a57f86e
                                                  • Instruction ID: 85d0f298a79b7bd8e7b09a469d8709d0249c53a1005f036602f976f78309af89
                                                  • Opcode Fuzzy Hash: 32e657cc194acbd918f622598c11f78ccfe3def6bcee8ec9206e45420a57f86e
                                                  • Instruction Fuzzy Hash: 99620113A18691DDFB008B6484012FD2B39F715798F848BB5EA5E9FBD9DE38E646D300
                                                  Function 00007FF66ADD7C2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: dec3c890079acf30666cbb042920d2fcd3ebd5c44a106d1f256a5617ddfbf15e
                                                  • Instruction ID: 907f8801c9be48b0377718dd8fa131c364a64bbb48c0ed449b4eeb5c17b26d13
                                                  • Opcode Fuzzy Hash: dec3c890079acf30666cbb042920d2fcd3ebd5c44a106d1f256a5617ddfbf15e
                                                  • Instruction Fuzzy Hash: E4111526B54F46DAEB408F60E8542A833B8FB59798F440A71EA6D8A7A4DF78D194C340
                                                  Function 00007FF66ADDE770 Relevance: 4.1, Strings: 3, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Authenti$GenuineI$HygonGen
                                                  • API String ID: 0-696657513
                                                  • Opcode ID: d564af7801753d2df3cdc9a665a545f9e9439221075aa68ceb7b3aa66f7af1cd
                                                  • Instruction ID: 9b54428df461d901c5134d151a827d81faf121b09dc05c4c0ff15f5d5c864543
                                                  • Opcode Fuzzy Hash: d564af7801753d2df3cdc9a665a545f9e9439221075aa68ceb7b3aa66f7af1cd
                                                  • Instruction Fuzzy Hash: CFB159A3B349A142FB198A56BD12BB94991B359BC8F04B538ED1F9BB80CD7CDA10C301
                                                  Function 00007FF66ADB0110 Relevance: 3.0, APIs: 2, Instructions: 467COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID:
                                                  • API String ID: 1297977491-0
                                                  • Opcode ID: 012d4b0774b95dc1f9e4e42be22ad832d4c639c4e9e12a0f9d16244d78570760
                                                  • Instruction ID: c4f766b870a279187c70e61ebcd394e9ca47ee382f1c0dcd6c09c60572752275
                                                  • Opcode Fuzzy Hash: 012d4b0774b95dc1f9e4e42be22ad832d4c639c4e9e12a0f9d16244d78570760
                                                  • Instruction Fuzzy Hash: E8125266C28FD941E223973968027BBAB10EFFB748E11E317FED831E45DB1CA2419654
                                                  Function 00007FF66ADB1F10 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 33333333$UUUUUUUU
                                                  • API String ID: 0-3483174168
                                                  • Opcode ID: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
                                                  • Instruction ID: 3a81f71bb059842e67eaceedc94535e03550869ade922beb697c2acde78d5c9a
                                                  • Opcode Fuzzy Hash: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
                                                  • Instruction Fuzzy Hash: 0591E843B681F003F7624B7D1D66566EFA25545BD370DF152EEE423A86C038CC2AE3A5
                                                  Function 00007FF66ADB2320 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 33333333$UUUUUUUU
                                                  • API String ID: 0-3483174168
                                                  • Opcode ID: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
                                                  • Instruction ID: 0f8bec32a5713e29220c994287e2471ec9503f957c585ffdc4d845ef937708d5
                                                  • Opcode Fuzzy Hash: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
                                                  • Instruction Fuzzy Hash: 6691DA4375A3D48FAB52CB7E194498A6E90E12AFC835CF069CE8D27322D436D557C392
                                                  Function 00007FF66ADCF2E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0123456789abcdefBorrowMutErroralready borrowed:
                                                  • API String ID: 0-1320686809
                                                  • Opcode ID: 069b13aac8200003f93909b8ad7e3b20cb494e45348c2be4e0b5a2e29febf55d
                                                  • Instruction ID: bc95a1caf48a407c003ac030d27c1c2ada1cf04a83f309c75d7372425d434735
                                                  • Opcode Fuzzy Hash: 069b13aac8200003f93909b8ad7e3b20cb494e45348c2be4e0b5a2e29febf55d
                                                  • Instruction Fuzzy Hash: 66512C63B192E0DEE32187789800AAC3FB1DF15B48F4981D4CF985FF86C626D119E752
                                                  Function 00007FF66ADB0FA0 Relevance: .4, Instructions: 391COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ab66d1451aaa4a1983906fdc593bfcf1db17cdddcda9d7e63297edeca24d348
                                                  • Instruction ID: 20e4dea5f55a96a0de50c6bf63822a8a543dc34a0863d27f4a4b1903d02a0cce
                                                  • Opcode Fuzzy Hash: 1ab66d1451aaa4a1983906fdc593bfcf1db17cdddcda9d7e63297edeca24d348
                                                  • Instruction Fuzzy Hash: 0AF1B162618B8481E6128B6AB4556A7E760FFDD7D4F45A312FFCC67B18DF38D2818700
                                                  Function 00007FF66ADD3D10 Relevance: .4, Instructions: 390COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70473acad2395adb376fbb3295ebae8699d947f67efec719373c7f0afe8bb4ea
                                                  • Instruction ID: c68fe3e52c51542add8b2c9cd77eaf1859693acdeb81f8c55a566e8d87ae1799
                                                  • Opcode Fuzzy Hash: 70473acad2395adb376fbb3295ebae8699d947f67efec719373c7f0afe8bb4ea
                                                  • Instruction Fuzzy Hash: 7FE19C96F39B9641F723433954022B89620AFA37E4A01D337FDA9B5FD1DF25A242D300
                                                  Function 00007FF66ADB0A60 Relevance: .3, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f0dabfbbc10d8d7afeaef013b875635ec6d57c3c802767b45787002d1ef4b62c
                                                  • Instruction ID: 916fa4679a14750d449f7b16648aa21d52468537201cf4caa593384a6e26b493
                                                  • Opcode Fuzzy Hash: f0dabfbbc10d8d7afeaef013b875635ec6d57c3c802767b45787002d1ef4b62c
                                                  • Instruction Fuzzy Hash: 84D1B412918BD482F2129B7DA5066EBE361FFD9798F54A311FFC826A14EF38E1C58700
                                                  Function 00007FF66AC94910 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 914954ef0f297599169272c04abcdc9284ad235dca27194831578d80ef9ee255
                                                  • Instruction ID: 310dfdc8c724d2fe5988d35e10e088db80dc4eab46e2c919dd4064c837d83157
                                                  • Opcode Fuzzy Hash: 914954ef0f297599169272c04abcdc9284ad235dca27194831578d80ef9ee255
                                                  • Instruction Fuzzy Hash: 6BA11073F18AA285EB588B11DA407BE2AB5FB4479CF048271CE6D5BBC4DF7C99919300
                                                  Function 00007FF66ADB3560 Relevance: .2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7129c2044a4066c2b7ac891e204a05a9f8a1a369dd49303d74f275ccfacac7a
                                                  • Instruction ID: 60fda29ae975056828bd118036ff861543ddf1d532a3b1c846aef41cf38d8d30
                                                  • Opcode Fuzzy Hash: a7129c2044a4066c2b7ac891e204a05a9f8a1a369dd49303d74f275ccfacac7a
                                                  • Instruction Fuzzy Hash: 57C130A2D19FC542E723A739A4032F6E310FFEA384F00D312EEC47595AEB69E2459654
                                                  Function 00007FF66ADB1640 Relevance: .2, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b20f7bc080719c1c1f3ae5b196f2442c1df25a9a2f5e432d3dc0e4515f377300
                                                  • Instruction ID: 2542ae72c4ccfa20196c65beb1892f13c0bd88adc0b991ce806802190909264d
                                                  • Opcode Fuzzy Hash: b20f7bc080719c1c1f3ae5b196f2442c1df25a9a2f5e432d3dc0e4515f377300
                                                  • Instruction Fuzzy Hash: 6971A3A3754B64867A04CFF2A830897E7A5F359FC4B19B425AF8D27F18CA3CC552D640
                                                  Function 00007FF66ADB1C10 Relevance: .2, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65153ff72308c8b017cf6340770969fc2e47e22087d08a98766a038036e4a156
                                                  • Instruction ID: 30cca3b4cfb94cb782ab2b94a2ea560950f445af3c53bcd8d1c98f1af7520ed1
                                                  • Opcode Fuzzy Hash: 65153ff72308c8b017cf6340770969fc2e47e22087d08a98766a038036e4a156
                                                  • Instruction Fuzzy Hash: CE61CEA2F7147693FA82CEB285139A82E20F764BC2303A672DD1A67740CD74DD4FC215
                                                  Function 00007FF66ADB3210 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 516913f712a79e31602e76090d16c532121ebdbc7cbb616029c414f36c94abab
                                                  • Instruction ID: 457270f5b50bb61aa528683f3fab3dfe895481d90fd9d043ceb4ef80d636bc9e
                                                  • Opcode Fuzzy Hash: 516913f712a79e31602e76090d16c532121ebdbc7cbb616029c414f36c94abab
                                                  • Instruction Fuzzy Hash: 0C51EB63729B14456A40CFE2BD609AB6690B758BD4F49B436FE4DA7709CE3CCB829240
                                                  Function 00007FF66ADB1950 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
                                                  • Instruction ID: d416797be00467981505a8bf5a77a3e2a1a5905893b636c8e13afd6d057c9589
                                                  • Opcode Fuzzy Hash: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
                                                  • Instruction Fuzzy Hash: 176173A3315BA4427A04CFF2BD3199BABA5F649BD8B00F435EE8D57B1CDA3CC4518640
                                                  Function 00007FF66ADB2A70 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63f73319fad2da576f3d5b9983d65f57c7789e905c01965cd88b4a1bca77e753
                                                  • Instruction ID: ac863f4bedc9bddaddae5922fc041a548a0128ccda551c0194af9db404a13d21
                                                  • Opcode Fuzzy Hash: 63f73319fad2da576f3d5b9983d65f57c7789e905c01965cd88b4a1bca77e753
                                                  • Instruction Fuzzy Hash: 35511963725B24456A40DFF2BD609AB6650B76CFD4F49B422FE8CA7705CE3CCB869240
                                                  Function 00007FF66ADB27E0 Relevance: .2, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a5052886ae8791df3e3aade1c897a77a9afdf7e8fe609916b5f9302e4dbc497
                                                  • Instruction ID: c06ad373f088eac6773fd2505e3dcc1f82ea758196c565d403a05ddc2eec12b5
                                                  • Opcode Fuzzy Hash: 4a5052886ae8791df3e3aade1c897a77a9afdf7e8fe609916b5f9302e4dbc497
                                                  • Instruction Fuzzy Hash: 2951D6F3725A10526E45CFA3BC24AB69652BB1CFD4F40E421DE0D9BB1ACE3CCA569340
                                                  Function 00007FF66ADB2F80 Relevance: .2, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bcd44aacf1be6df8b683f518df340d7f83a1aa97022882a5af4655f99829e9a
                                                  • Instruction ID: 031cdd25f8197c5c57da5a8c2ab3e41862ac2129b1330e0fbd5ef58862bbe5cf
                                                  • Opcode Fuzzy Hash: 7bcd44aacf1be6df8b683f518df340d7f83a1aa97022882a5af4655f99829e9a
                                                  • Instruction Fuzzy Hash: 6751DAF3726A10425E45CFA2BC249B69652FA1CBD4F40D431DF1D97B09CE3CCA529340
                                                  Function 00007FF66ADB2D40 Relevance: .2, Instructions: 170COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbee0296d68a45a4e5011e14e78ef7d3f61107bd3d503f6abe85d47c4473e09a
                                                  • Instruction ID: 483b6cafddcb58c2d63febc22e83b766fe4bb801c7eb542a8cf0cfa7ab332378
                                                  • Opcode Fuzzy Hash: dbee0296d68a45a4e5011e14e78ef7d3f61107bd3d503f6abe85d47c4473e09a
                                                  • Instruction Fuzzy Hash: FB41F163719A24827E58EFE2BE71877A651B75CBD0F48B436EE4E97704CE3CC5828240
                                                  Function 00007FF66AC90AE0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 307COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs, xrefs: 00007FF66AC91016
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset$DebugOutputString
                                                  • String ID: a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs
                                                  • API String ID: 4266836622-2517649730
                                                  • Opcode ID: 287ac6eb42f42c72714af7b5e6152d51ced44fae5cbc19239bed691393f80c56
                                                  • Instruction ID: 2f6cb7df43fffd17f026ffe888ef69effd5b3f18b824bc18308ea868383cc506
                                                  • Opcode Fuzzy Hash: 287ac6eb42f42c72714af7b5e6152d51ced44fae5cbc19239bed691393f80c56
                                                  • Instruction Fuzzy Hash: 44E19C22A08BC289EB658F21D9507F97374FB45788F4042B5DA8D8FB9ADF7DA244C340
                                                  Function 00007FF66ADB8FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs, xrefs: 00007FF66ADB9350
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1855813900.00007FF66AC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF66AC80000, based on PE: true
                                                  • Associated: 00000000.00000002.1855787898.00007FF66AC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66ADE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856105722.00007FF66AF52000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856473492.00007FF66AF91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1856498141.00007FF66AF92000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff66ac80000_dropper.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnvironmentVariable
                                                  • String ID: internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs
                                                  • API String ID: 2691138088-1438511490
                                                  • Opcode ID: 527b1cf473097bd3a93887c635851d4d7255d7e2385d8cdb07212bdd9e0b6a4d
                                                  • Instruction ID: f1212b3b0c262bfc386c337e7d2693e1767bab75ce7ee7f724a3076898d4ba75
                                                  • Opcode Fuzzy Hash: 527b1cf473097bd3a93887c635851d4d7255d7e2385d8cdb07212bdd9e0b6a4d
                                                  • Instruction Fuzzy Hash: 5DA1ACA2B05AC2C9EB708F66D8443E96374FB58B98F048275DE5C8F799DF38D6818340

                                                  Execution Graph

                                                  Execution Coverage:3.3%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:1717
                                                  Total number of Limit Nodes:26
                                                  execution_graph 9689 7ffb83569900 9692 7ffb83569a38 9689->9692 9693 7ffb8356990b 9692->9693 9694 7ffb83569a49 9692->9694 9695 7ffb83569ab8 9694->9695 9698 7ffb83569a4e 9694->9698 9700 7ffb83569bbc IsProcessorFeaturePresent 9695->9700 9697 7ffb83569ac2 9698->9693 9699 7ffb83569a6b _initialize_onexit_table 9698->9699 9699->9693 9701 7ffb83569be2 9700->9701 9702 7ffb83569bf0 memset RtlCaptureContext RtlLookupFunctionEntry 9701->9702 9703 7ffb83569c2a RtlVirtualUnwind 9702->9703 9704 7ffb83569c66 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9702->9704 9703->9704 9705 7ffb83569ce6 9704->9705 9705->9697 9706 222edea12d0 9708 222eded64c0 9706->9708 9710 222eded6662 9708->9710 9711 222eded67a0 9708->9711 9712 222eded656f 9708->9712 9715 222eded4900 9708->9715 9713 222ededc680 38 API calls 9710->9713 9712->9711 9719 222ededc680 9712->9719 9714 222eded6843 9713->9714 9716 222eded4913 9715->9716 9717 222eded4934 9716->9717 9721 222eded90d0 9716->9721 9717->9708 10008 222eded7b20 9719->10008 9722 222eded917b 9721->9722 9723 222eded922d 9721->9723 9726 222eded91ed 9722->9726 9728 222ededc374 9722->9728 9724 222ededc374 38 API calls 9723->9724 9725 222eded9241 9724->9725 9726->9717 9731 222ededc250 9728->9731 9734 222edec81b0 9731->9734 9740 222edec73e0 9734->9740 9736 222edec81ce 9737 222edec8299 9736->9737 9751 222ededc150 9736->9751 9759 222edec8520 9740->9759 9742 222edec73ef 9744 222edec7433 9742->9744 9765 222edec56d0 9742->9765 9749 222edec7444 9744->9749 9773 222edec6480 9744->9773 9750 222edec74ee 9749->9750 9776 222edec7740 9749->9776 9750->9736 9752 222ededc168 9751->9752 9753 222ededc250 38 API calls 9752->9753 9754 222ededc1c4 9753->9754 9755 222ededc2f0 38 API calls 9754->9755 9756 222ededc1ee 9755->9756 9757 222ededc250 38 API calls 9756->9757 9758 222ededc24c 9757->9758 9761 222edec8543 9759->9761 9760 222edec8592 9762 222edec8696 38 API calls 9760->9762 9761->9760 9792 222edec8696 9761->9792 9764 222edec85c9 9762->9764 9764->9742 9766 222edec5720 9765->9766 9769 222edec56f9 9765->9769 9915 222ededc133 9766->9915 9769->9766 9772 222edec5725 9769->9772 9770 222edec5824 9770->9744 9771 222edec7620 38 API calls 9771->9772 9772->9770 9772->9771 9924 222edecad80 9773->9924 9775 222edec64a1 9778 222edec7766 9776->9778 9777 222edec7885 9777->9750 9778->9777 9779 222edec78d9 9778->9779 9780 222edec78e8 9778->9780 9789 222edec7873 9778->9789 10000 222ededc630 9779->10000 9782 222ededc620 38 API calls 9780->9782 9783 222edec78fa 9782->9783 9784 222edec79e8 9783->9784 9785 222edec7925 9783->9785 9787 222ededc250 38 API calls 9784->9787 9786 222edec53d0 38 API calls 9785->9786 9788 222edec797e 9786->9788 9791 222edec7a3a 9787->9791 9788->9750 9790 222ededc610 38 API calls 9789->9790 9790->9777 9791->9750 9794 222edec86d1 9792->9794 9793 222edec87bb 9795 222edec87c3 9793->9795 9796 222edec8845 9793->9796 9794->9793 9797 222edec86ff 9794->9797 9811 222ededb640 9794->9811 9862 222edec53d0 9795->9862 9799 222edec53d0 38 API calls 9796->9799 9803 222edec8743 9797->9803 9819 222edec7cc4 9797->9819 9802 222edec883f 9799->9802 9804 222edec53d0 38 API calls 9802->9804 9837 222edec1da0 9803->9837 9807 222edec88ed 9804->9807 9806 222edec878e 9806->9802 9850 222edec8940 9806->9850 9809 222edec1da0 38 API calls 9807->9809 9810 222edec8924 9809->9810 9810->9760 9812 222ededb65c 9811->9812 9813 222ededb7e0 9812->9813 9814 222ededb7eb 9812->9814 9816 222ededb782 WaitOnAddress 9812->9816 9813->9797 9815 222ededc250 36 API calls 9814->9815 9818 222ededb81d 9815->9818 9816->9812 9817 222ededb7a4 GetLastError 9816->9817 9817->9812 9820 222edec7cee 9819->9820 9822 222edec7ce8 9819->9822 9820->9822 9867 222edec58b0 9820->9867 9823 222edec7f04 9822->9823 9871 222edec4500 9822->9871 9823->9803 9825 222edec7de1 9826 222edec7e79 9825->9826 9827 222edec7e05 9825->9827 9828 222edec7fd5 2 API calls 9826->9828 9830 222edec7e1c 9827->9830 9878 222ededb360 9827->9878 9832 222edec7e6a 9828->9832 9875 222edec7fd5 9830->9875 9832->9803 9838 222edec1dba 9837->9838 9839 222edec1dbc 9837->9839 9838->9806 9840 222ededb967 9839->9840 9841 222ededb9f9 9839->9841 9844 222ededb98f 9840->9844 9846 222ededb97a WakeByAddressSingle 9840->9846 9883 222ededc2f0 9841->9883 9845 222ededb999 9844->9845 9847 222ededb9ae 9844->9847 9848 222ededb9c0 WakeByAddressSingle 9844->9848 9845->9847 9849 222ededb9e4 WakeByAddressAll 9845->9849 9847->9806 9848->9847 9848->9849 9849->9847 9886 222edecc7e0 9850->9886 9852 222edec8955 9853 222edec53d0 38 API calls 9852->9853 9854 222edec89ae 9853->9854 9857 222edec89ed 9854->9857 9858 222edec8a62 9854->9858 9855 222edec8a60 9855->9793 9856 222eded335e 9856->9793 9857->9855 9909 222ededc610 9857->9909 9858->9856 9912 222ededc580 9858->9912 9864 222edec5407 9862->9864 9863 222edec5416 9863->9802 9864->9863 9865 222ededc250 38 API calls 9864->9865 9866 222edec54ba 9865->9866 9866->9802 9868 222edec58cc 9867->9868 9870 222edec58e2 9867->9870 9869 222edec3150 38 API calls 9868->9869 9869->9870 9870->9822 9872 222edec4517 9871->9872 9873 222ededba20 38 API calls 9872->9873 9874 222edec4554 9872->9874 9873->9874 9874->9825 9876 222edec6a30 WaitOnAddress GetLastError 9875->9876 9877 222edec7ffe 9876->9877 9882 222ededb379 9878->9882 9879 222ededb3a0 9879->9830 9880 222ededb3cc WaitOnAddress 9881 222ededb3e9 GetLastError 9880->9881 9880->9882 9881->9882 9882->9879 9882->9880 9884 222ededc250 38 API calls 9883->9884 9885 222ededc32d 9884->9885 9888 222edecc7ed 9886->9888 9887 222edecc88e 9887->9852 9888->9887 9889 222edec7c40 38 API calls 9888->9889 9890 222edecc8a2 9889->9890 9891 222ededc3d8 38 API calls 9890->9891 9892 222edecc8c3 9891->9892 9893 222ededc250 38 API calls 9892->9893 9894 222edecc90c 9893->9894 9895 222edecc9e9 9894->9895 9896 222ededc2f0 38 API calls 9894->9896 9898 222edecc953 9894->9898 9895->9852 9896->9898 9897 222ededc1d0 38 API calls 9899 222edecc9af 9897->9899 9898->9895 9898->9897 9898->9899 9899->9895 9900 222ededc250 38 API calls 9899->9900 9908 222edeccd0b 9900->9908 9901 222eded4900 38 API calls 9901->9908 9902 222ededc680 38 API calls 9904 222eded67a0 9902->9904 9903 222eded6662 9906 222ededc680 38 API calls 9903->9906 9904->9852 9905 222eded656f 9905->9902 9905->9904 9907 222eded6843 9906->9907 9908->9901 9908->9903 9908->9904 9908->9905 9910 222eded8c80 38 API calls 9909->9910 9911 222ededc61f 9910->9911 9913 222ededc250 38 API calls 9912->9913 9914 222ededc600 9913->9914 9916 222ededc14a 9915->9916 9917 222ededc142 9915->9917 9919 222ededc150 38 API calls 9916->9919 9921 222eded3550 9917->9921 9920 222ededc14f 9919->9920 9922 222ededc250 38 API calls 9921->9922 9923 222eded3588 9922->9923 9926 222edecad96 9924->9926 9925 222edecb013 9927 222ededc610 31 API calls 9925->9927 9928 222edecaf36 9925->9928 9926->9925 9926->9928 9931 222edecaf1b 9926->9931 9958 222ededc620 9926->9958 9927->9931 9928->9775 9930 222ededc610 31 API calls 9942 222edecb20d 9930->9942 9931->9928 9931->9930 9932 222edecb3b8 SetLastError GetFullPathNameW 9933 222edecb3e3 GetLastError 9932->9933 9932->9942 9934 222edecb4ba GetLastError 9933->9934 9933->9942 9950 222edecb28b 9934->9950 9935 222edecb3fd GetLastError 9937 222edecb84e 9935->9937 9935->9942 9939 222ededc2f0 31 API calls 9937->9939 9938 222edecb83a 9940 222ededc620 31 API calls 9938->9940 9947 222edecb84c 9939->9947 9940->9947 9941 222edecb5e0 9943 222edecb603 memcpy 9941->9943 9946 222ededb110 31 API calls 9941->9946 9942->9932 9942->9935 9942->9938 9944 222edecb5e5 9942->9944 9942->9950 9953 222edecb49a 9942->9953 9961 222ededb110 9942->9961 9945 222edecb627 9943->9945 9943->9950 9944->9941 9952 222edecb884 9944->9952 9976 222edec2990 9945->9976 9951 222edecb82e 9946->9951 9947->9775 9948 222edecb5be memcpy 9948->9941 9948->9943 9950->9775 9951->9943 9954 222ededc133 31 API calls 9952->9954 9953->9948 9955 222edecb70d 9953->9955 9954->9947 9955->9944 9956 222edecb868 9955->9956 9957 222ededc133 31 API calls 9956->9957 9957->9947 9983 222eded8cf0 9958->9983 9962 222ededb128 9961->9962 9963 222ededb16c 9962->9963 9964 222ededc133 37 API calls 9962->9964 9965 222ededc133 37 API calls 9963->9965 9970 222ededb1ba 9963->9970 9964->9963 9966 222ededb1ef 9965->9966 9967 222ededc250 37 API calls 9966->9967 9968 222ededb22c 9967->9968 9969 222ededb25d 9968->9969 9986 222edec3ba0 9968->9986 9972 222ededb28b 9969->9972 9973 222ededb26d memcpy 9969->9973 9974 222ededb29b 9969->9974 9970->9942 9993 222edec50b0 9972->9993 9973->9974 9974->9942 9977 222edec29ad 9976->9977 9978 222ededc133 38 API calls 9977->9978 9979 222edec29d3 9977->9979 9978->9979 9980 222ededc133 38 API calls 9979->9980 9982 222edec2a1c 9979->9982 9981 222edec2a4a 9980->9981 9982->9950 9984 222ededc250 38 API calls 9983->9984 9985 222eded8d5e 9984->9985 9988 222edec3bec 9986->9988 9987 222edeca390 38 API calls 9987->9988 9988->9987 9989 222edec3d31 9988->9989 9990 222ededc620 38 API calls 9989->9990 9991 222edec3d50 9989->9991 9992 222edec3dad 9990->9992 9991->9969 9992->9969 9994 222edec51d2 9993->9994 9996 222edec50d2 9993->9996 9994->9974 9995 222edeca390 38 API calls 9995->9996 9996->9994 9996->9995 9997 222edec51e9 9996->9997 9998 222ededc610 38 API calls 9997->9998 9999 222edec51fb 9998->9999 9999->9974 10005 222eded8d60 10000->10005 10006 222ededc250 38 API calls 10005->10006 10007 222eded8dce 10006->10007 10009 222eded7b49 10008->10009 10018 222eded7b8b 10008->10018 10011 222ededc680 38 API calls 10009->10011 10009->10018 10010 222eded7e28 10012 222ededc250 38 API calls 10010->10012 10011->10018 10013 222eded7e9c 10012->10013 10014 222ededc250 38 API calls 10013->10014 10015 222eded7f11 10014->10015 10016 222ededc630 38 API calls 10015->10016 10017 222eded7f23 10016->10017 10018->10010 10018->10013 10018->10015 10020 222ededc680 38 API calls 10018->10020 10021 222eded7ccf 10018->10021 10023 222ededc1d0 10018->10023 10020->10018 10022 222ededc250 38 API calls 10021->10022 10022->10010 10024 222ededc2f0 38 API calls 10023->10024 10025 222ededc1ee 10024->10025 10026 222ededc250 38 API calls 10025->10026 10027 222ededc24c 10026->10027 11019 222edea1350 11020 222edea1f98 11019->11020 11021 222edea13b7 11019->11021 11023 222ededb430 3 API calls 11020->11023 11022 222edea1f84 11021->11022 11027 222edea13cf 11021->11027 11049 222ededb820 11022->11049 11023->11027 11025 222edea1fee 11028 222ededc580 38 API calls 11025->11028 11026 222edea13f3 11031 222edea2083 11026->11031 11040 222edea141f 11026->11040 11027->11025 11027->11026 11029 222edea201d 11028->11029 11054 222edeb5a70 11029->11054 11030 222ededb950 41 API calls 11032 222edea1f69 11030->11032 11033 222ededc150 38 API calls 11031->11033 11033->11029 11035 222edea1f19 11035->11030 11035->11032 11036 222edea20ce 11037 222edeb3830 53 API calls 11037->11040 11038 222edea203b 11039 222ededc580 38 API calls 11038->11039 11039->11029 11040->11035 11040->11037 11040->11038 11042 222eded3640 38 API calls 11040->11042 11044 222edea1eea OutputDebugStringW 11040->11044 11045 222edeb5d50 11040->11045 11043 222edea1e0a memset 11042->11043 11043->11040 11043->11044 11044->11040 11046 222edeb6001 11045->11046 11048 222edeb5d88 11045->11048 11067 222ededa580 11046->11067 11048->11040 11050 222ededb849 11049->11050 11051 222ededb93d 11050->11051 11052 222ededb8d6 WaitOnAddress 11050->11052 11051->11035 11052->11050 11053 222ededb8f3 GetLastError 11052->11053 11053->11050 11056 222edeb5a81 11054->11056 11055 222edeb5aaa 11055->11036 11056->11055 11057 222ededb9f9 11056->11057 11060 222ededb967 11056->11060 11058 222ededc2f0 38 API calls 11057->11058 11061 222ededba11 11058->11061 11059 222ededb98f 11062 222ededb999 11059->11062 11064 222ededb9ae 11059->11064 11065 222ededb9c0 WakeByAddressSingle 11059->11065 11060->11059 11063 222ededb97a WakeByAddressSingle 11060->11063 11062->11064 11066 222ededb9e4 WakeByAddressAll 11062->11066 11064->11036 11065->11064 11065->11066 11066->11064 11068 222ededa5ac 11067->11068 11069 222ededa6a6 11067->11069 11071 222ededa5fb 11068->11071 11073 222ededa5d5 11068->11073 11070 222eded3490 38 API calls 11069->11070 11078 222ededa61e 11070->11078 11072 222edeb1d00 memmove 11071->11072 11072->11078 11073->11069 11074 222ededa6b2 11073->11074 11075 222ededa961 11074->11075 11076 222ededa6dc memset 11074->11076 11077 222eded34e0 38 API calls 11075->11077 11076->11078 11077->11078 11078->11048 11079 222edea1250 11080 222edea1261 11079->11080 11081 222edea128a 11080->11081 11082 222ededb967 11080->11082 11083 222ededb9f9 11080->11083 11086 222ededb98f 11082->11086 11088 222ededb97a WakeByAddressSingle 11082->11088 11084 222ededc2f0 38 API calls 11083->11084 11085 222ededba11 11084->11085 11087 222ededb999 11086->11087 11089 222ededb9ae 11086->11089 11090 222ededb9c0 WakeByAddressSingle 11086->11090 11087->11089 11091 222ededb9e4 WakeByAddressAll 11087->11091 11090->11089 11090->11091 11091->11089 11092 222edea2150 11093 222edeb5a70 41 API calls 11092->11093 11094 222edea217b 11093->11094 10028 7ffb83531000 10029 7ffb835310a8 10028->10029 10032 7ffb8353101c 10028->10032 10042 7ffb8356c1d0 10029->10042 10033 7ffb8353102c 10032->10033 10041 7ffb835575f0 ProcessPrng 10032->10041 10041->10033 10043 7ffb8356c2f0 38 API calls 10042->10043 10044 7ffb8356c1ee 10043->10044 10045 7ffb8356c250 38 API calls 10044->10045 10046 7ffb8356c24c 10045->10046 10047 222eded96cc 10048 222eded96ed 10047->10048 10049 222eded96e8 10047->10049 10051 222eded979c 10049->10051 10052 222eded97bf GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10051->10052 10053 222eded9833 10051->10053 10052->10053 10053->10048 11095 222eded9848 InitializeSListHead 11096 222edec5260 11097 222edec5297 11096->11097 11098 222ededc250 38 API calls 11097->11098 11099 222edec52a6 11097->11099 11100 222edec534a 11098->11100 10054 222edea7ce0 memset OutputDebugStringW 10180 222edeb5280 10054->10180 10056 222edea7d98 10192 222eded3800 10056->10192 10058 222edea7dd5 10225 222eded3640 10058->10225 10060 222edea7e46 memset 10061 222edea7f2a OutputDebugStringW 10060->10061 10065 222edea7e85 10060->10065 10062 222edea7f40 10061->10062 10232 222edea29d0 10062->10232 10064 222edea7f72 10244 222edea2de0 10064->10244 10065->10061 10067 222edea7f98 10068 222edea7fb3 10067->10068 10342 222edeb94f0 GetLastError 10067->10342 10070 222edea29d0 55 API calls 10068->10070 10147 222edea8437 10068->10147 10071 222edea7fe2 10070->10071 10072 222edea2de0 119 API calls 10071->10072 10073 222edea8008 10072->10073 10074 222edea8023 10073->10074 10343 222edeb94f0 GetLastError 10073->10343 10076 222edea29d0 55 API calls 10074->10076 10074->10147 10077 222edea8052 10076->10077 10078 222edea2de0 119 API calls 10077->10078 10079 222edea8078 10078->10079 10080 222edea809c 10079->10080 10344 222edeb94f0 GetLastError 10079->10344 10082 222edea29d0 55 API calls 10080->10082 10080->10147 10083 222edea80cf 10082->10083 10345 222edea5300 10083->10345 10085 222edea80e4 10088 222edea80fc 10085->10088 10412 222edeb94f0 GetLastError 10085->10412 10087 222edea8117 memset OutputDebugStringW 10089 222edea8179 10087->10089 10088->10087 10088->10147 10090 222edea83c3 memset OutputDebugStringW 10089->10090 10091 222edea8183 memset OutputDebugStringW 10089->10091 10414 222edeb94f0 GetLastError 10090->10414 10413 222edeb93d0 memset 10091->10413 10094 222edea81e3 10095 222edea843c memset OutputDebugStringW 10094->10095 10096 222edea81fb 10094->10096 10098 222edea84d5 10095->10098 10097 222eded3640 38 API calls 10096->10097 10099 222edea82ae 10097->10099 10415 222edeb94f0 GetLastError 10098->10415 10101 222eded3800 43 API calls 10099->10101 10102 222edea82d2 10101->10102 10103 222eded3640 38 API calls 10102->10103 10104 222edea835c memset 10103->10104 10105 222edea857a OutputDebugStringW 10104->10105 10108 222edea839e 10104->10108 10106 222edea8596 10105->10106 10416 222edeaa4e0 10106->10416 10108->10105 10109 222edea85d3 10110 222edea86d4 10109->10110 10111 222edea85e7 10109->10111 10113 222eded3640 38 API calls 10110->10113 10112 222eded3640 38 API calls 10111->10112 10114 222edea866d memset 10112->10114 10115 222edea8776 memset 10113->10115 10116 222edea886a OutputDebugStringW 10114->10116 10121 222edea86af 10114->10121 10117 222edea894a OutputDebugStringW 10115->10117 10120 222edea87b8 10115->10120 10116->10147 10118 222edea8966 10117->10118 10545 222edea69e0 10118->10545 10120->10117 10121->10116 10122 222edea8989 10123 222eded3640 38 API calls 10122->10123 10124 222edea8a3c 10123->10124 10125 222eded3800 43 API calls 10124->10125 10126 222edea8a60 10125->10126 10127 222eded3640 38 API calls 10126->10127 10128 222edea8ae3 memset 10127->10128 10129 222edea8bda OutputDebugStringW 10128->10129 10133 222edea8b25 10128->10133 10130 222edea8bf6 10129->10130 10131 222edeaa4e0 151 API calls 10130->10131 10132 222edea8c33 10131->10132 10134 222edea8c40 10132->10134 10135 222edea8d34 10132->10135 10133->10129 10136 222eded3640 38 API calls 10134->10136 10137 222eded3640 38 API calls 10135->10137 10138 222edea8cc6 memset 10136->10138 10139 222edea8dd6 memset 10137->10139 10140 222edea8eca OutputDebugStringW 10138->10140 10145 222edea8d0f 10138->10145 10141 222edea903a OutputDebugStringW 10139->10141 10146 222edea8e18 10139->10146 10140->10147 10142 222edea9059 10141->10142 10143 222edea69e0 52 API calls 10142->10143 10144 222edea907c memset OutputDebugStringW 10143->10144 10159 222edea9120 10144->10159 10145->10140 10146->10141 10149 222eded3640 38 API calls 10150 222edea921e memset 10149->10150 10151 222edea930a OutputDebugStringW 10150->10151 10154 222edea925c 10150->10154 10151->10154 10153 222eded3800 43 API calls 10153->10154 10154->10151 10154->10153 10155 222eded3640 38 API calls 10154->10155 10587 222edeaa380 10154->10587 10156 222edea93f0 memset 10155->10156 10157 222edea94da OutputDebugStringW 10156->10157 10156->10159 10157->10159 10158 222edea951a memcmp 10158->10159 10159->10149 10159->10157 10159->10158 10160 222edea953d memcmp 10159->10160 10161 222edea9560 memcmp 10159->10161 10162 222eded3640 38 API calls 10159->10162 10163 222eded3640 38 API calls 10159->10163 10166 222edea9c5a OutputDebugStringW 10159->10166 10167 222edea9cea memset OutputDebugStringW 10159->10167 10177 222edea9b8a OutputDebugStringW 10159->10177 10178 222edea9aaa OutputDebugStringW 10159->10178 10179 222edea69e0 52 API calls 10159->10179 10577 222edeb5620 10159->10577 10160->10159 10161->10159 10164 222edea96ad memset 10162->10164 10165 222edea95e2 memset 10163->10165 10164->10159 10164->10166 10168 222edea979a OutputDebugStringW 10165->10168 10171 222edea9620 10165->10171 10166->10159 10170 222edea9d58 10167->10170 10168->10171 10169 222edeaa4e0 151 API calls 10169->10171 10172 222edea9d98 memset OutputDebugStringW 10170->10172 10171->10168 10171->10169 10173 222eded3640 38 API calls 10171->10173 10174 222eded3640 38 API calls 10171->10174 10172->10147 10175 222edea99bb memset 10173->10175 10176 222edea98a1 memset 10174->10176 10175->10159 10175->10177 10176->10159 10176->10178 10177->10159 10178->10159 10179->10159 10181 222edeb52ad 10180->10181 10182 222edeb52b6 GetModuleFileNameW 10181->10182 10191 222edeb534b 10181->10191 10184 222edeb52ce 10182->10184 10185 222edeb52fa 10182->10185 10183 222ededc133 38 API calls 10186 222edeb5363 10183->10186 10187 222edeb52db 10184->10187 10188 222edeb533a 10184->10188 10185->10056 10186->10056 10190 222edeb5620 39 API calls 10187->10190 10189 222ededc620 38 API calls 10188->10189 10189->10191 10190->10185 10191->10183 10193 222eded4369 10192->10193 10195 222eded382f 10192->10195 10194 222ededc133 38 API calls 10193->10194 10222 222eded3ddd 10194->10222 10195->10193 10198 222eded385e 10195->10198 10196 222ededc680 38 API calls 10199 222eded4367 10196->10199 10200 222eded3a6c 10198->10200 10202 222eded42c4 10198->10202 10205 222eded40a1 memcpy 10198->10205 10206 222eded42e4 10198->10206 10207 222eded4281 10198->10207 10208 222eded3e58 memcpy 10198->10208 10211 222eded3590 38 API calls 10198->10211 10212 222eded3f50 memcpy 10198->10212 10213 222eded4290 10198->10213 10214 222eded399f memcpy 10198->10214 10215 222eded42fc 10198->10215 10218 222eded3ff0 memcpy 10198->10218 10219 222eded42ac 10198->10219 10220 222eded4314 10198->10220 10198->10222 10223 222eded8dd0 38 API calls 10198->10223 10224 222eded8f50 38 API calls 10198->10224 10598 222eded9250 10198->10598 10603 222ededc090 10198->10603 10199->10058 10201 222ededc680 38 API calls 10200->10201 10201->10199 10204 222ededc090 38 API calls 10202->10204 10204->10206 10205->10198 10209 222ededc090 38 API calls 10206->10209 10210 222ededc090 38 API calls 10207->10210 10208->10198 10209->10215 10210->10213 10211->10198 10212->10198 10217 222ededc090 38 API calls 10213->10217 10214->10198 10216 222ededc090 38 API calls 10215->10216 10216->10220 10217->10219 10218->10198 10221 222ededc090 38 API calls 10219->10221 10220->10058 10221->10202 10222->10196 10223->10198 10224->10198 10226 222eded366a 10225->10226 10227 222eded3759 10226->10227 10228 222ededc580 38 API calls 10226->10228 10229 222eded3729 10226->10229 10227->10060 10228->10229 10230 222ededc133 38 API calls 10229->10230 10231 222eded37b5 10230->10231 10231->10060 10610 222edeb3830 10232->10610 10234 222edea2a25 10235 222edea2a2f 10234->10235 10236 222edea2d18 10234->10236 10238 222eded3640 38 API calls 10235->10238 10237 222ededc580 38 API calls 10236->10237 10239 222edea2d59 10237->10239 10240 222edea2b24 memset 10238->10240 10239->10064 10241 222edea2c0a OutputDebugStringW 10240->10241 10242 222edea2b63 10240->10242 10243 222edea2c20 10241->10243 10242->10241 10243->10064 10245 222eded3640 38 API calls 10244->10245 10246 222edea2f23 memset 10245->10246 10247 222edea300a OutputDebugStringW 10246->10247 10250 222edea2f5e 10246->10250 10248 222edea302d 10247->10248 10249 222edeaa380 39 API calls 10248->10249 10251 222edea3058 10249->10251 10250->10247 10252 222eded3640 38 API calls 10251->10252 10253 222edea30b6 memset 10252->10253 10254 222edea31aa OutputDebugStringW 10253->10254 10258 222edea30f8 10253->10258 10255 222edea31c6 10254->10255 10654 222edea6800 10255->10654 10257 222edea31ea 10259 222eded3640 38 API calls 10257->10259 10258->10254 10260 222edea326a memset 10259->10260 10261 222edea335a OutputDebugStringW 10260->10261 10265 222edea32ac 10260->10265 10262 222edea3376 10261->10262 10663 222edea21f0 10262->10663 10264 222edea3399 10336 222edea33a8 10264->10336 10693 222edeb43c0 10264->10693 10265->10261 10267 222edea33fe 10268 222edea340b 10267->10268 10272 222edea34fc 10267->10272 10269 222eded3640 38 API calls 10268->10269 10270 222edea348e memset 10269->10270 10271 222edea377a OutputDebugStringW 10270->10271 10274 222edea34d7 10270->10274 10271->10336 10273 222eded3640 38 API calls 10272->10273 10275 222edea367a memset 10273->10275 10274->10271 10276 222edea389a OutputDebugStringW 10275->10276 10277 222edea36bc 10275->10277 10283 222edea38b6 10276->10283 10277->10276 10278 222edea3a83 10739 222edea7370 10278->10739 10281 222edea3f18 10286 222eded3640 38 API calls 10281->10286 10282 222edea3a98 10285 222eded3640 38 API calls 10282->10285 10283->10278 10284 222edea39a2 10283->10284 10287 222eded3640 38 API calls 10284->10287 10288 222edea3b19 memset 10285->10288 10289 222edea3f7a memset 10286->10289 10290 222edea3a1c memset 10287->10290 10291 222edea406a OutputDebugStringW 10288->10291 10298 222edea3b5b 10288->10298 10292 222edea413a OutputDebugStringW 10289->10292 10300 222edea3fb6 10289->10300 10293 222edea3c4a OutputDebugStringW 10290->10293 10304 222edea3a5e 10290->10304 10322 222edea3ed6 10291->10322 10294 222edea4156 10292->10294 10296 222edea3c66 10293->10296 10295 222edeb8310 38 API calls 10294->10295 10297 222edea41a4 GetModuleHandleW 10295->10297 10765 222edeb8310 10296->10765 10302 222edea429c 10297->10302 10303 222edea41c1 10297->10303 10298->10291 10299 222eded3640 38 API calls 10305 222edea4425 memset 10299->10305 10300->10292 10774 222edeb94f0 GetLastError 10302->10774 10313 222eded3640 38 API calls 10303->10313 10303->10336 10304->10293 10308 222edea450a OutputDebugStringW 10305->10308 10318 222edea445e 10305->10318 10306 222edea3cb4 GetModuleHandleW 10309 222edea3cd1 10306->10309 10310 222edea3dbf 10306->10310 10311 222edea4526 10308->10311 10314 222eded3640 38 API calls 10309->10314 10309->10336 10773 222edeb94f0 GetLastError 10310->10773 10775 222edea4d40 10311->10775 10315 222edea4242 memset 10313->10315 10317 222edea3d5c memset 10314->10317 10319 222edea436a OutputDebugStringW 10315->10319 10326 222edea427b 10315->10326 10321 222edea3eba OutputDebugStringW 10317->10321 10330 222edea3d9e 10317->10330 10318->10308 10319->10322 10320 222edea4551 10323 222edea455b 10320->10323 10324 222edea4672 10320->10324 10321->10322 10322->10299 10328 222edea4571 VirtualQuery 10323->10328 10325 222eded3640 38 API calls 10324->10325 10327 222edea46db memset 10325->10327 10326->10319 10329 222edea494a OutputDebugStringW 10327->10329 10339 222edea471b 10327->10339 10331 222edea4740 10328->10331 10332 222edea4590 10328->10332 10329->10336 10330->10321 10333 222eded3640 38 API calls 10331->10333 10332->10331 10334 222edea459d 10332->10334 10335 222edea47b7 memset 10333->10335 10337 222eded3640 38 API calls 10334->10337 10335->10329 10335->10339 10336->10067 10338 222edea4614 memset 10337->10338 10340 222edea4a7a OutputDebugStringW 10338->10340 10341 222edea464d 10338->10341 10339->10329 10340->10336 10341->10340 10342->10068 10343->10074 10344->10080 10346 222eded3640 38 API calls 10345->10346 10347 222edea53eb memset 10346->10347 10348 222edea54da OutputDebugStringW 10347->10348 10351 222edea5426 10347->10351 10349 222edea54fd 10348->10349 10350 222edea21f0 49 API calls 10349->10350 10352 222edea551d 10350->10352 10351->10348 10353 222edeb43c0 53 API calls 10352->10353 10405 222edea552c 10352->10405 10354 222edea5574 10353->10354 10355 222edea5581 10354->10355 10359 222edea565f 10354->10359 10356 222eded3640 38 API calls 10355->10356 10357 222edea55fa memset 10356->10357 10358 222edea583a OutputDebugStringW 10357->10358 10360 222edea563a 10357->10360 10358->10405 10361 222eded3640 38 API calls 10359->10361 10360->10358 10362 222edea5745 memset 10361->10362 10363 222edea595a OutputDebugStringW 10362->10363 10366 222edea577e 10362->10366 10364 222edea5976 10363->10364 10365 222eded3640 38 API calls 10364->10365 10367 222edea5a33 10365->10367 10366->10363 10368 222eded3800 43 API calls 10367->10368 10369 222edea5a57 10368->10369 10370 222eded3640 38 API calls 10369->10370 10371 222edea5ac9 memset 10370->10371 10372 222edea5bba OutputDebugStringW 10371->10372 10375 222edea5b05 10371->10375 10373 222edea5bd6 10372->10373 10374 222edea6800 44 API calls 10373->10374 10376 222edea5bfa 10374->10376 10375->10372 10377 222eded3640 38 API calls 10376->10377 10378 222edea5c73 memset 10377->10378 10379 222edea5d5a OutputDebugStringW 10378->10379 10382 222edea5cac 10378->10382 10380 222edea5d76 10379->10380 10381 222edea7370 48 API calls 10380->10381 10383 222edea5d92 10381->10383 10382->10379 10384 222edea5d9c 10383->10384 10385 222edea5e71 memset OutputDebugStringW GetModuleHandleA 10383->10385 10386 222eded3640 38 API calls 10384->10386 10387 222edea5f6a 10385->10387 10392 222edea5f2b 10385->10392 10388 222edea5e13 memset 10386->10388 10842 222edeb94f0 GetLastError 10387->10842 10390 222edea603a OutputDebugStringW 10388->10390 10396 222edea5e4c 10388->10396 10390->10392 10391 222edea4d40 48 API calls 10393 222edea6081 10391->10393 10392->10391 10392->10405 10394 222edea619b 10393->10394 10395 222edea608b 10393->10395 10397 222eded3640 38 API calls 10394->10397 10399 222edea60a1 VirtualQuery 10395->10399 10396->10390 10398 222edea61ef memset 10397->10398 10402 222edea644a OutputDebugStringW 10398->10402 10409 222edea622f 10398->10409 10400 222edea60c0 10399->10400 10401 222edea6254 10399->10401 10400->10401 10403 222edea60cd 10400->10403 10404 222eded3640 38 API calls 10401->10404 10402->10405 10406 222eded3640 38 API calls 10403->10406 10407 222edea62b6 memset 10404->10407 10405->10085 10408 222edea613d memset 10406->10408 10407->10402 10407->10409 10410 222edea656a OutputDebugStringW 10408->10410 10411 222edea6176 10408->10411 10409->10402 10410->10405 10411->10410 10412->10088 10413->10094 10414->10147 10415->10147 10417 222eded3640 38 API calls 10416->10417 10418 222edeaa58a memset 10417->10418 10419 222edeaa67a OutputDebugStringW 10418->10419 10422 222edeaa5c5 10418->10422 10420 222edeaa69d 10419->10420 10421 222eded3640 38 API calls 10420->10421 10423 222edeaa714 10421->10423 10422->10419 10424 222eded3640 38 API calls 10423->10424 10425 222edeaa791 memset 10424->10425 10426 222edeaa88a OutputDebugStringW 10425->10426 10429 222edeaa7d3 10425->10429 10427 222edeaa8bb 10426->10427 10428 222edea29d0 55 API calls 10427->10428 10430 222edeaa8ed 10428->10430 10429->10426 10431 222edea5300 109 API calls 10430->10431 10432 222edeaa902 10431->10432 10433 222eded3640 38 API calls 10432->10433 10446 222edeaaab0 10432->10446 10436 222edeaa988 memset 10433->10436 10434 222edea29d0 55 API calls 10435 222edeaaae8 10434->10435 10438 222edea5300 109 API calls 10435->10438 10437 222edeaaa7a OutputDebugStringW 10436->10437 10444 222edeaa9c3 10436->10444 10440 222edeaaa9d 10437->10440 10439 222edeaaafd 10438->10439 10441 222edeaacb0 10439->10441 10443 222eded3640 38 API calls 10439->10443 10843 222edeb94f0 GetLastError 10440->10843 10445 222edea29d0 55 API calls 10441->10445 10544 222edeaaab7 10441->10544 10447 222edeaab8c memset 10443->10447 10444->10437 10448 222edeaacf3 10445->10448 10446->10434 10446->10544 10449 222edeaac7a OutputDebugStringW 10447->10449 10456 222edeaabc7 10447->10456 10450 222edea5300 109 API calls 10448->10450 10452 222edeaac9d 10449->10452 10451 222edeaad08 10450->10451 10454 222edeaaeb0 10451->10454 10455 222eded3640 38 API calls 10451->10455 10844 222edeb94f0 GetLastError 10452->10844 10457 222edea29d0 55 API calls 10454->10457 10454->10544 10458 222edeaad8e memset 10455->10458 10456->10449 10459 222edeaaee8 10457->10459 10460 222edeaae7a OutputDebugStringW 10458->10460 10467 222edeaadc9 10458->10467 10461 222edea5300 109 API calls 10459->10461 10462 222edeaae9d 10460->10462 10463 222edeaaefd 10461->10463 10845 222edeb94f0 GetLastError 10462->10845 10465 222edeab0a0 10463->10465 10466 222eded3640 38 API calls 10463->10466 10465->10544 10847 222edeb7f60 10465->10847 10469 222edeaaf83 memset 10466->10469 10467->10460 10471 222edeab06a OutputDebugStringW 10469->10471 10475 222edeaafbe 10469->10475 10470 222edeab131 10472 222edec2990 38 API calls 10470->10472 10476 222edeab154 10470->10476 10473 222edeab08d 10471->10473 10472->10476 10846 222edeb94f0 GetLastError 10473->10846 10475->10471 10477 222eded3640 38 API calls 10476->10477 10478 222edeab24d memset 10477->10478 10479 222edeab33a OutputDebugStringW 10478->10479 10481 222edeab28f 10478->10481 10480 222edeab359 10479->10480 10482 222edeab3a2 10480->10482 10483 222edeab507 10480->10483 10481->10479 10484 222eded3640 38 API calls 10482->10484 10485 222eded3640 38 API calls 10483->10485 10486 222edeab4a0 memset 10484->10486 10487 222edeab573 memset 10485->10487 10488 222edeab66a OutputDebugStringW 10486->10488 10494 222edeab4e2 10486->10494 10489 222edeab82a OutputDebugStringW 10487->10489 10492 222edeab5b5 10487->10492 10490 222edeab686 10488->10490 10496 222edeab849 10489->10496 10491 222eded3640 38 API calls 10490->10491 10493 222edeab702 10491->10493 10492->10489 10493->10544 10855 222edeb9af0 10493->10855 10494->10488 10498 222edeaba0d 10496->10498 10499 222edeab8ab 10496->10499 10500 222eded3640 38 API calls 10498->10500 10502 222eded3640 38 API calls 10499->10502 10503 222edeaba8b memset 10500->10503 10504 222edeab9a6 memset 10502->10504 10506 222edeabc9a OutputDebugStringW 10503->10506 10512 222edeabaca 10503->10512 10505 222edeabb8a OutputDebugStringW 10504->10505 10511 222edeab9e8 10504->10511 10509 222edeabba6 10505->10509 10507 222edeabcbc 10506->10507 10508 222edeabccd GetCurrentProcess 10506->10508 10507->10508 10510 222edeabd34 10508->10510 10513 222edeb9af0 39 API calls 10509->10513 10514 222edeabd42 10510->10514 10515 222edeabed2 10510->10515 10511->10505 10512->10506 10516 222edeabbdb 10513->10516 10517 222edeabd4d 10514->10517 10518 222edeac0c3 10514->10518 10519 222eded3640 38 API calls 10515->10519 10860 222edeb97b0 GetErrorInfo 10516->10860 10522 222eded3640 38 API calls 10517->10522 10520 222eded3640 38 API calls 10518->10520 10523 222edeabf3e 10519->10523 10524 222edeac1bb 10520->10524 10525 222edeabdaf 10522->10525 10526 222edeb53a0 2 API calls 10523->10526 10527 222edeb53a0 2 API calls 10524->10527 10861 222edeb53a0 memset 10525->10861 10532 222edeabf5d 10526->10532 10535 222edeac1da 10527->10535 10529 222edeabdce 10530 222edea6800 44 API calls 10529->10530 10531 222edeabdff 10530->10531 10533 222eded3640 38 API calls 10531->10533 10534 222edea6800 44 API calls 10532->10534 10536 222edeabe7c 10533->10536 10537 222edeabfa2 10534->10537 10864 222edeb54a0 10535->10864 10539 222edeb53a0 2 API calls 10536->10539 10540 222eded3640 38 API calls 10537->10540 10539->10544 10542 222edeac03a 10540->10542 10541 222edeac224 10541->10541 10543 222edeb53a0 2 API calls 10542->10543 10543->10544 10544->10109 10546 222edea6c31 10545->10546 10547 222edea6a16 10545->10547 10549 222eded3640 38 API calls 10546->10549 10548 222edea70f2 10547->10548 10553 222ededb360 2 API calls 10547->10553 10556 222edea6a48 10547->10556 10551 222ededb430 3 API calls 10548->10551 10550 222edea6c8b memset 10549->10550 10552 222edea6e2a OutputDebugStringW 10550->10552 10561 222edea6cc3 10550->10561 10551->10556 10555 222edea6e4b 10552->10555 10553->10548 10554 222edea7153 10558 222eded3640 38 API calls 10554->10558 10555->10122 10556->10554 10562 222edea6a74 10556->10562 10557 222edea6f07 10887 222edeb5ad0 10557->10887 10559 222edea71c0 10558->10559 10563 222edeb53a0 2 API calls 10559->10563 10561->10552 10562->10557 10567 222eded3640 38 API calls 10562->10567 10565 222edea71e8 10563->10565 10571 222ededc250 38 API calls 10565->10571 10566 222eded3640 38 API calls 10568 222edea6fa4 memset 10566->10568 10569 222edea6d42 memset 10567->10569 10570 222edea708a OutputDebugStringW 10568->10570 10575 222edea6fe3 10568->10575 10572 222edea6eea OutputDebugStringW 10569->10572 10576 222edea6d81 10569->10576 10573 222edea70a0 10570->10573 10571->10573 10572->10557 10573->10555 10891 222ededb420 WakeByAddressSingle 10573->10891 10575->10570 10576->10572 10578 222edeb566e 10577->10578 10579 222edeb58c2 10578->10579 10586 222edeb56a9 10578->10586 10580 222ededaa50 38 API calls 10579->10580 10582 222edeb58dc 10580->10582 10581 222edeb589e 10581->10159 10582->10582 10584 222edeb57e6 memcpy 10584->10586 10585 222ededaa50 38 API calls 10585->10586 10586->10581 10586->10584 10586->10585 10918 222eded3590 10586->10918 10589 222edeaa3bc 10587->10589 10588 222edeaa3de 10590 222eded3640 38 API calls 10588->10590 10589->10588 10596 222edeaa3f3 10589->10596 10591 222edeaa490 10590->10591 10591->10154 10592 222edeaa4c0 10595 222ededc133 38 API calls 10592->10595 10593 222edeaa425 memcpy 10593->10591 10597 222edeaa4d5 10595->10597 10596->10592 10596->10593 10599 222eded927e 10598->10599 10600 222eded9262 10598->10600 10599->10600 10601 222ededc374 38 API calls 10599->10601 10600->10198 10602 222eded93a5 10601->10602 10604 222ededc0a1 10603->10604 10605 222ededc133 38 API calls 10604->10605 10606 222ededc0c4 10604->10606 10605->10606 10607 222ededc133 38 API calls 10606->10607 10609 222ededc0fd 10606->10609 10608 222ededc132 10607->10608 10609->10198 10611 222eded3640 38 API calls 10610->10611 10612 222edeb397b memset 10611->10612 10613 222edeb3a6a OutputDebugStringW 10612->10613 10615 222edeb39b6 10612->10615 10614 222edeb3a8d 10613->10614 10617 222edeb3aea 10614->10617 10620 222edeb3aaf 10614->10620 10615->10613 10616 222edeb3ad9 10648 222edebd9e0 memset 10616->10648 10619 222ededc133 38 API calls 10617->10619 10646 222edeb3b09 10617->10646 10623 222edeb41f1 10619->10623 10620->10616 10621 222edeb3b62 10620->10621 10624 222edeb3b80 memcpy memcpy 10621->10624 10622 222edeb3ae5 10625 222edeb3bad memcpy 10622->10625 10626 222ededc133 38 API calls 10623->10626 10624->10625 10625->10623 10628 222edeb3bde 10625->10628 10630 222edeb420c 10626->10630 10627 222edeb420e 10629 222ededc620 38 API calls 10627->10629 10628->10623 10628->10627 10631 222edeb3c06 10628->10631 10629->10630 10630->10234 10631->10627 10632 222edeb3c2c memcpy memcpy 10631->10632 10633 222edeb3c73 10632->10633 10634 222edeb3c82 memcpy memset 10632->10634 10635 222eded3640 38 API calls 10633->10635 10638 222edeb3d23 10634->10638 10636 222edeb3f12 memset 10635->10636 10637 222edeb400a OutputDebugStringW 10636->10637 10641 222edeb3f54 10636->10641 10643 222edeb4026 10637->10643 10638->10633 10639 222edeb3d7e 10638->10639 10640 222eded3640 38 API calls 10639->10640 10642 222edeb3e38 memset 10640->10642 10641->10637 10644 222edeb417a OutputDebugStringW 10642->10644 10647 222edeb3e7a 10642->10647 10645 222ededc580 38 API calls 10643->10645 10643->10646 10644->10646 10645->10630 10646->10234 10647->10644 10650 222edebda47 10648->10650 10649 222edebff80 38 API calls 10649->10650 10650->10649 10651 222edebdb6f memcpy 10650->10651 10653 222edebf4e0 38 API calls 10650->10653 10651->10622 10653->10650 10655 222eded3800 43 API calls 10654->10655 10660 222edea6826 10655->10660 10656 222edea6986 10659 222ededc133 38 API calls 10656->10659 10657 222edea686e memcpy 10661 222edea688f 10657->10661 10662 222edea699b 10659->10662 10660->10656 10660->10657 10661->10257 10662->10257 10664 222edea223a 10663->10664 10665 222edea2850 10663->10665 10667 222edea225d 10664->10667 10668 222ededb640 38 API calls 10664->10668 10795 222ededb430 10665->10795 10669 222edea28b8 10667->10669 10674 222edea226a 10667->10674 10668->10667 10670 222ededc580 38 API calls 10669->10670 10672 222edea28ec 10670->10672 10671 222edea242b 10673 222eded3640 38 API calls 10671->10673 10679 222ededb950 41 API calls 10672->10679 10681 222edea2954 10672->10681 10675 222edea2485 memset 10673->10675 10674->10671 10676 222edea24f0 10674->10676 10677 222edea26da OutputDebugStringW 10675->10677 10685 222edea24cb 10675->10685 10678 222eded3640 38 API calls 10676->10678 10682 222edea26f0 10677->10682 10680 222edea25e7 memset 10678->10680 10679->10681 10684 222edea279a OutputDebugStringW 10680->10684 10689 222edea262d 10680->10689 10681->10264 10683 222edea283e 10682->10683 10803 222ededb950 10682->10803 10683->10264 10692 222edea27b0 10684->10692 10685->10677 10687 222edea28fb 10691 222ededc133 38 API calls 10687->10691 10688 222edea27fe memcpy 10688->10682 10689->10684 10691->10672 10692->10687 10692->10688 10694 222eded3640 38 API calls 10693->10694 10695 222edeb4501 memset 10694->10695 10696 222edeb45ea OutputDebugStringW 10695->10696 10698 222edeb453c 10695->10698 10697 222edeb460d 10696->10697 10699 222edeb4637 10697->10699 10701 222edeb472f 10697->10701 10698->10696 10700 222eded3640 38 API calls 10699->10700 10702 222edeb46cc memset 10700->10702 10704 222ededc133 38 API calls 10701->10704 10737 222edeb474e 10701->10737 10703 222edeb481a OutputDebugStringW 10702->10703 10710 222edeb470e 10702->10710 10706 222edeb4836 10703->10706 10705 222edeb4f1f 10704->10705 10709 222ededc133 38 API calls 10705->10709 10707 222edeb485b 10706->10707 10814 222ededc3f2 10706->10814 10711 222ededc3f2 38 API calls 10707->10711 10715 222edeb4876 10707->10715 10712 222edeb4f3b 10709->10712 10710->10703 10711->10715 10712->10267 10713 222edeb4899 10714 222edebd9e0 40 API calls 10713->10714 10716 222edeb48a5 10714->10716 10715->10713 10717 222edeb4923 10715->10717 10719 222edeb496e memcpy 10716->10719 10718 222edeb4941 memcpy memcpy 10717->10718 10718->10719 10719->10705 10722 222edeb49a0 10719->10722 10720 222edeb49cc memcpy memcpy 10723 222edeb4aa2 10720->10723 10724 222edeb4a19 10720->10724 10722->10705 10722->10720 10725 222eded3640 38 API calls 10723->10725 10817 222edeb8b90 10724->10817 10727 222edeb4b11 memset 10725->10727 10728 222edeb4c0a OutputDebugStringW 10727->10728 10730 222edeb4b53 10727->10730 10732 222edeb4c26 10728->10732 10729 222edeb4a59 10729->10723 10731 222edeb4cfa 10729->10731 10730->10728 10733 222eded3640 38 API calls 10731->10733 10734 222ededc580 38 API calls 10732->10734 10732->10737 10735 222edeb4dc4 memset 10733->10735 10734->10712 10736 222edeb4eba OutputDebugStringW 10735->10736 10738 222edeb4e06 10735->10738 10736->10737 10737->10267 10738->10736 10740 222edea73c1 10739->10740 10741 222edea7b7e 10739->10741 10743 222ededb360 2 API calls 10740->10743 10748 222edea73d7 10740->10748 10742 222ededb430 3 API calls 10741->10742 10742->10748 10743->10741 10744 222edea73fc 10747 222edea75cb 10744->10747 10754 222edea7690 10744->10754 10745 222edea7bda 10746 222ededc580 38 API calls 10745->10746 10750 222edea7a5d 10746->10750 10749 222eded3640 38 API calls 10747->10749 10748->10744 10748->10745 10751 222edea7625 memset 10749->10751 10755 222edea3a8e 10750->10755 10834 222ededb420 WakeByAddressSingle 10750->10834 10752 222edea781a OutputDebugStringW 10751->10752 10757 222edea766b 10751->10757 10764 222edea7830 10752->10764 10756 222eded3640 38 API calls 10754->10756 10755->10281 10755->10282 10758 222edea771c memset 10756->10758 10757->10752 10759 222edea7afa OutputDebugStringW 10758->10759 10761 222edea7769 10758->10761 10759->10750 10760 222eded3640 38 API calls 10762 222edea7951 memset 10760->10762 10761->10759 10763 222edea7a2a OutputDebugStringW 10762->10763 10762->10764 10763->10764 10764->10750 10764->10760 10764->10763 10767 222edeb833c 10765->10767 10766 222edeb86dc 10768 222ededc133 38 API calls 10766->10768 10767->10766 10770 222edeb84d9 10767->10770 10772 222edeb841a 10767->10772 10769 222edeb86ee 10768->10769 10769->10306 10770->10772 10835 222ededaa50 10770->10835 10772->10306 10773->10309 10774->10303 10776 222edea4e01 memset 10775->10776 10777 222edea4d63 10775->10777 10779 222edea51fc OutputDebugStringW 10776->10779 10778 222edea4e4f 10777->10778 10780 222edea4d8f memset 10777->10780 10781 222eded3640 38 API calls 10778->10781 10793 222edea520a 10779->10793 10780->10779 10782 222edea4edd memset 10781->10782 10783 222edea4fca OutputDebugStringW 10782->10783 10786 222edea4f15 10782->10786 10787 222edea4fec 10783->10787 10784 222edea5198 memset 10784->10779 10785 222edea503c strlen 10785->10787 10786->10783 10787->10784 10787->10785 10788 222edea5094 memcmp 10787->10788 10788->10787 10789 222edea50a5 10788->10789 10790 222eded3640 38 API calls 10789->10790 10791 222edea513b memset 10790->10791 10792 222edea52ba OutputDebugStringW 10791->10792 10794 222edea5173 10791->10794 10792->10793 10793->10320 10794->10792 10796 222ededb524 10795->10796 10798 222ededb45d 10795->10798 10797 222ededb512 10797->10664 10798->10797 10799 222ededb4b5 WaitOnAddress 10798->10799 10800 222ededb4de 10798->10800 10799->10798 10801 222ededb4d2 GetLastError 10799->10801 10800->10797 10802 222ededb50c WakeByAddressAll 10800->10802 10801->10798 10802->10797 10804 222ededb967 10803->10804 10805 222ededb9f9 10803->10805 10808 222ededb98f 10804->10808 10810 222ededb97a WakeByAddressSingle 10804->10810 10806 222ededc2f0 38 API calls 10805->10806 10807 222ededba11 10806->10807 10809 222ededb999 10808->10809 10811 222ededb9ae 10808->10811 10812 222ededb9c0 WakeByAddressSingle 10808->10812 10809->10811 10813 222ededb9e4 WakeByAddressAll 10809->10813 10811->10683 10812->10811 10812->10813 10813->10811 10822 222ededc430 10814->10822 10819 222edeb8bc4 10817->10819 10820 222edeb8bef 10817->10820 10818 222edeb8c65 10818->10729 10819->10729 10820->10818 10826 222edebe330 10820->10826 10823 222ededc462 10822->10823 10824 222ededc250 38 API calls 10823->10824 10825 222ededc579 10824->10825 10828 222edebe391 10826->10828 10827 222edebe7f1 10827->10820 10828->10827 10829 222edebe85c 10828->10829 10832 222edebe7db 10828->10832 10830 222ededc630 38 API calls 10829->10830 10831 222edebe86b 10830->10831 10833 222ededc630 38 API calls 10832->10833 10833->10827 10836 222ededaa67 10835->10836 10837 222ededc133 38 API calls 10836->10837 10840 222ededaabd 10836->10840 10837->10840 10838 222ededc133 38 API calls 10839 222ededab48 10838->10839 10840->10838 10841 222ededab11 10840->10841 10841->10770 10842->10392 10843->10446 10844->10441 10845->10454 10846->10465 10850 222edeb7f8a 10847->10850 10848 222edeb8195 10848->10470 10849 222edeb82a5 10851 222ededc133 38 API calls 10849->10851 10850->10848 10850->10849 10852 222edeb8013 10850->10852 10853 222edeb82bd 10851->10853 10852->10848 10854 222ededaa50 38 API calls 10852->10854 10853->10470 10854->10852 10871 222edeba160 10855->10871 10857 222edeb9b22 RoOriginateErrorW 10858 222edeab723 10857->10858 10859 222edeb97b0 GetErrorInfo 10858->10859 10859->10544 10860->10544 10862 222edeb547a OutputDebugStringW 10861->10862 10863 222edeb53da 10861->10863 10862->10529 10863->10862 10865 222edeb54aa 10864->10865 10866 222edeb54bf 10864->10866 10867 222edeb9af0 39 API calls 10865->10867 10866->10541 10868 222edeb54b1 10867->10868 10886 222edeb97b0 GetErrorInfo 10868->10886 10870 222edeb54b8 10870->10541 10874 222edeba18a 10871->10874 10872 222edeba3a5 10872->10857 10873 222edeba4b5 10875 222ededc133 38 API calls 10873->10875 10874->10872 10874->10873 10878 222edeba213 10874->10878 10876 222edeba4cd 10875->10876 10876->10857 10878->10872 10879 222ededab50 10878->10879 10880 222ededab62 10879->10880 10881 222ededc133 38 API calls 10880->10881 10883 222ededabaa 10880->10883 10881->10883 10882 222ededc133 38 API calls 10884 222ededac35 10882->10884 10883->10882 10885 222ededabfe 10883->10885 10885->10878 10886->10870 10888 222edeb5d0f 10887->10888 10890 222edea6f2e 10887->10890 10892 222ededa120 10888->10892 10890->10566 10893 222ededa14c 10892->10893 10894 222ededa243 10892->10894 10896 222ededa19b 10893->10896 10898 222ededa175 10893->10898 10908 222eded3490 10894->10908 10904 222edeb1d00 10896->10904 10898->10894 10899 222ededa24f 10898->10899 10900 222ededa4f6 10899->10900 10901 222ededa279 memset 10899->10901 10913 222eded34e0 10900->10913 10903 222ededa1bb 10901->10903 10903->10890 10903->10903 10906 222edeb1d52 10904->10906 10905 222edeb2156 memmove 10907 222edeb1dec 10905->10907 10906->10905 10906->10907 10907->10903 10909 222eded349e 10908->10909 10910 222eded34a6 10908->10910 10909->10903 10911 222ededc250 38 API calls 10910->10911 10912 222eded34d8 10911->10912 10914 222eded34ee 10913->10914 10915 222eded34fa 10913->10915 10914->10903 10916 222ededc150 38 API calls 10915->10916 10917 222eded3505 10916->10917 10919 222eded35a9 10918->10919 10920 222ededc133 38 API calls 10919->10920 10921 222eded35cd 10919->10921 10920->10921 10922 222ededc133 38 API calls 10921->10922 10924 222eded3606 10921->10924 10923 222eded3634 10922->10923 10924->10586 9559 7ffb835329d0 9571 7ffb83543830 9559->9571 9561 7ffb83532a25 9562 7ffb83532a2f 9561->9562 9563 7ffb83532d18 9561->9563 9565 7ffb83563640 38 API calls 9562->9565 9564 7ffb8356c580 38 API calls 9563->9564 9566 7ffb83532d59 9564->9566 9567 7ffb83532b24 memset 9565->9567 9568 7ffb83532c0a OutputDebugStringW 9567->9568 9569 7ffb83532b63 9567->9569 9570 7ffb83532c20 9568->9570 9569->9568 9572 7ffb83563640 38 API calls 9571->9572 9573 7ffb8354397b memset 9572->9573 9574 7ffb83543a6a OutputDebugStringW 9573->9574 9576 7ffb835439b6 9573->9576 9575 7ffb83543a8d 9574->9575 9577 7ffb83543aea 9575->9577 9580 7ffb83543aaf 9575->9580 9576->9574 9578 7ffb83543b09 9577->9578 9581 7ffb8356c133 38 API calls 9577->9581 9578->9561 9579 7ffb83543ad9 9609 7ffb8354d9e0 memset 9579->9609 9580->9579 9585 7ffb83543b62 9580->9585 9583 7ffb835441f1 9581->9583 9588 7ffb8356c133 38 API calls 9583->9588 9584 7ffb83543ae5 9586 7ffb83543bad memcpy 9584->9586 9587 7ffb83543b80 memcpy memcpy 9585->9587 9586->9583 9590 7ffb83543bde 9586->9590 9587->9586 9593 7ffb8354420c 9588->9593 9589 7ffb8354420e 9591 7ffb8356c620 38 API calls 9589->9591 9590->9583 9590->9589 9592 7ffb83543c06 9590->9592 9591->9593 9592->9589 9594 7ffb83543c2c memcpy memcpy 9592->9594 9593->9561 9595 7ffb83543c82 memcpy memset 9594->9595 9596 7ffb83543c73 9594->9596 9600 7ffb83543d23 9595->9600 9597 7ffb83563640 38 API calls 9596->9597 9598 7ffb83543f12 memset 9597->9598 9599 7ffb8354400a OutputDebugStringW 9598->9599 9603 7ffb83543f54 9598->9603 9602 7ffb83544026 9599->9602 9600->9596 9601 7ffb83543d7e 9600->9601 9604 7ffb83563640 38 API calls 9601->9604 9602->9578 9606 7ffb8356c580 38 API calls 9602->9606 9603->9599 9605 7ffb83543e38 memset 9604->9605 9607 7ffb8354417a OutputDebugStringW 9605->9607 9608 7ffb83543e7a 9605->9608 9606->9593 9607->9578 9608->9607 9614 7ffb8354da47 9609->9614 9610 7ffb8354ff80 38 API calls 9610->9614 9611 7ffb8354db6f memcpy 9611->9584 9613 7ffb8354f4e0 38 API calls 9613->9614 9614->9610 9614->9611 9614->9613 9615 7ffb83531350 9616 7ffb835313b7 9615->9616 9617 7ffb83531f98 9615->9617 9619 7ffb83531f84 9616->9619 9623 7ffb835313cf 9616->9623 9618 7ffb8356b430 3 API calls 9617->9618 9618->9623 9645 7ffb8356b820 9619->9645 9621 7ffb83531fee 9624 7ffb8356c580 38 API calls 9621->9624 9622 7ffb835313f3 9626 7ffb83532083 9622->9626 9640 7ffb8353141f 9622->9640 9623->9621 9623->9622 9625 7ffb8353201d 9624->9625 9650 7ffb83545a70 9625->9650 9628 7ffb8356c150 38 API calls 9626->9628 9627 7ffb8356b950 41 API calls 9630 7ffb83531f69 9627->9630 9628->9625 9631 7ffb83531f19 9631->9627 9631->9630 9632 7ffb835320ce 9633 7ffb83543830 53 API calls 9633->9640 9634 7ffb8353203b 9635 7ffb8356c580 38 API calls 9634->9635 9635->9625 9637 7ffb83563640 38 API calls 9638 7ffb83531e0a memset 9637->9638 9639 7ffb83531eea OutputDebugStringW 9638->9639 9638->9640 9639->9640 9640->9631 9640->9633 9640->9634 9640->9637 9640->9639 9641 7ffb83545d50 9640->9641 9642 7ffb83546001 9641->9642 9644 7ffb83545d88 9641->9644 9663 7ffb8356a580 9642->9663 9644->9640 9649 7ffb8356b849 9645->9649 9646 7ffb8356b93d 9646->9631 9647 7ffb8356b8d6 WaitOnAddress 9648 7ffb8356b8f3 GetLastError 9647->9648 9647->9649 9648->9649 9649->9646 9649->9647 9652 7ffb83545a81 9650->9652 9651 7ffb83545aaa 9651->9632 9652->9651 9653 7ffb8356b9f9 9652->9653 9654 7ffb8356b967 9652->9654 9655 7ffb8356c2f0 38 API calls 9653->9655 9657 7ffb8356b98f 9654->9657 9658 7ffb8356b97a WakeByAddressSingle 9654->9658 9656 7ffb8356ba11 9655->9656 9659 7ffb8356b999 9657->9659 9660 7ffb8356b9ae 9657->9660 9661 7ffb8356b9c0 WakeByAddressSingle 9657->9661 9659->9660 9662 7ffb8356b9e4 WakeByAddressAll 9659->9662 9660->9632 9661->9660 9661->9662 9662->9660 9664 7ffb8356a5ac 9663->9664 9665 7ffb8356a6a6 9663->9665 9667 7ffb8356a5fb 9664->9667 9669 7ffb8356a5d5 9664->9669 9679 7ffb83563490 9665->9679 9675 7ffb83541d00 9667->9675 9669->9665 9670 7ffb8356a6b2 9669->9670 9671 7ffb8356a961 9670->9671 9672 7ffb8356a6dc memset 9670->9672 9684 7ffb835634e0 9671->9684 9674 7ffb8356a61e 9672->9674 9674->9644 9674->9674 9677 7ffb83541d52 9675->9677 9676 7ffb83542156 memcpy 9678 7ffb83541dec 9676->9678 9677->9676 9677->9678 9678->9674 9680 7ffb8356349e 9679->9680 9681 7ffb835634a6 9679->9681 9680->9674 9682 7ffb8356c250 38 API calls 9681->9682 9683 7ffb835634d8 9682->9683 9685 7ffb835634ee 9684->9685 9686 7ffb835634fa 9684->9686 9685->9674 9687 7ffb8356c150 38 API calls 9686->9687 9688 7ffb83563505 9687->9688 10966 7ffb835312d0 10967 7ffb835664c0 10966->10967 10970 7ffb8356656f 10967->10970 10971 7ffb835667a0 10967->10971 10974 7ffb83566662 10967->10974 10975 7ffb83564900 10967->10975 10970->10971 10979 7ffb8356c680 10970->10979 10972 7ffb8356c680 38 API calls 10973 7ffb83566843 10972->10973 10974->10972 10976 7ffb83564913 10975->10976 10977 7ffb83564934 10976->10977 10981 7ffb835690d0 10976->10981 10977->10967 10991 7ffb83567b20 10979->10991 10982 7ffb8356922d 10981->10982 10986 7ffb8356917b 10981->10986 10983 7ffb8356c374 38 API calls 10982->10983 10987 7ffb83569241 10983->10987 10984 7ffb835691ed 10984->10977 10985 7ffb83569262 10985->10977 10986->10984 10988 7ffb8356c374 38 API calls 10986->10988 10987->10985 10989 7ffb8356c374 38 API calls 10987->10989 10988->10982 10990 7ffb835693a5 10989->10990 10992 7ffb83567b49 10991->10992 11002 7ffb83567b8b 10991->11002 10994 7ffb8356c680 38 API calls 10992->10994 10992->11002 10993 7ffb83567e28 10995 7ffb8356c250 38 API calls 10993->10995 10994->11002 10996 7ffb83567e9c 10995->10996 10997 7ffb8356c250 38 API calls 10996->10997 10998 7ffb83567f11 10997->10998 10999 7ffb8356c630 38 API calls 10998->10999 11000 7ffb83567f23 10999->11000 11001 7ffb8356c1d0 38 API calls 11001->11002 11002->10993 11002->10996 11002->10998 11002->11001 11003 7ffb8356c680 38 API calls 11002->11003 11004 7ffb83567ccf 11002->11004 11003->11002 11005 7ffb8356c250 38 API calls 11004->11005 11005->10993 11105 222eded9858 11106 222eded9f7f __std_type_info_destroy_list 11105->11106 11006 222edea7270 11009 222edea7296 11006->11009 11008 222edea72b0 11009->11008 11010 222ededb420 WakeByAddressSingle 11009->11010 11011 222edea2970 11012 222edea29b6 11011->11012 11014 222edea29a7 11011->11014 11013 222ededb950 41 API calls 11012->11013 11013->11014 11107 222edea7330 11110 222edea1190 11107->11110 11113 222edea119a 11110->11113 11111 222edea11b4 11112 222ededb420 WakeByAddressSingle 11113->11111 11113->11112 11114 222edea1230 11115 222edea124e 11114->11115 11116 222ededb967 11115->11116 11117 222ededb9f9 11115->11117 11119 222ededb98f 11116->11119 11122 222ededb97a WakeByAddressSingle 11116->11122 11118 222ededc2f0 38 API calls 11117->11118 11120 222ededba11 11118->11120 11121 222ededb999 11119->11121 11123 222ededb9ae 11119->11123 11124 222ededb9c0 WakeByAddressSingle 11119->11124 11121->11123 11125 222ededb9e4 WakeByAddressAll 11121->11125 11124->11123 11124->11125 11125->11123 10925 222edeac7b0 10926 222eded3640 38 API calls 10925->10926 10927 222edeac834 memset 10926->10927 10928 222edeac91a OutputDebugStringW 10927->10928 10929 222edeac873 10927->10929 10930 222edeac930 10928->10930 10929->10928 10931 222ededc133 38 API calls 10930->10931 10932 222edeac960 10930->10932 10933 222edeaca2a 10931->10933 10934 222edeac6b0 10935 222edeac6c3 10934->10935 10936 222edeac719 10934->10936 10935->10936 10940 222edeac6ea memcpy 10935->10940 10937 222ededc133 38 API calls 10936->10937 10939 222edeac72e 10937->10939 11152 222eded9900 11155 222eded9a38 11152->11155 11156 222eded990b 11155->11156 11157 222eded9a49 11155->11157 11158 222eded9ab8 11157->11158 11161 222eded9a4e 11157->11161 11163 222eded9bbc IsProcessorFeaturePresent 11158->11163 11160 222eded9ac2 11161->11156 11162 222eded9a6b _initialize_onexit_table 11161->11162 11162->11156 11164 222eded9be2 11163->11164 11165 222eded9bf0 memset RtlCaptureContext RtlLookupFunctionEntry 11164->11165 11166 222eded9c2a RtlVirtualUnwind 11165->11166 11167 222eded9c66 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11165->11167 11166->11167 11168 222eded9ce6 11167->11168 11168->11160 11126 222edea7c40 11127 222edea1190 WakeByAddressSingle 11126->11127 11128 222edea7c74 11127->11128 11169 222edea1000 11170 222edea10a8 11169->11170 11173 222edea101c 11169->11173 11171 222ededc1d0 38 API calls 11170->11171 11172 222edea10b4 11171->11172 11174 222edea1162 11172->11174 11179 222edea10dc 11172->11179 11175 222edea102c 11173->11175 11182 222edec75f0 ProcessPrng 11173->11182 11177 222ededc1d0 38 API calls 11174->11177 11181 222edea116e 11177->11181 11178 222edea10ec 11179->11178 11183 222edec75f0 ProcessPrng 11179->11183 11182->11175 11183->11178 10945 222edeacac0 10946 222eded3640 38 API calls 10945->10946 10947 222edeacb1f 10946->10947 9177 7ffb835321f0 9178 7ffb83532850 9177->9178 9179 7ffb8353223a 9177->9179 9214 7ffb8356b430 9178->9214 9181 7ffb8353225d 9179->9181 9222 7ffb8356b640 9179->9222 9183 7ffb835328b8 9181->9183 9188 7ffb8353226a 9181->9188 9230 7ffb8356c580 9183->9230 9185 7ffb8353242b 9187 7ffb83563640 38 API calls 9185->9187 9189 7ffb83532485 memset 9187->9189 9188->9185 9190 7ffb835324f0 9188->9190 9191 7ffb835326da OutputDebugStringW 9189->9191 9197 7ffb835324cb 9189->9197 9207 7ffb83563640 9190->9207 9193 7ffb835326f0 9191->9193 9198 7ffb8353283e 9193->9198 9233 7ffb8356b950 9193->9233 9196 7ffb835325e7 memset 9199 7ffb8353279a OutputDebugStringW 9196->9199 9203 7ffb8353262d 9196->9203 9197->9191 9204 7ffb835327b0 9199->9204 9201 7ffb835328fb 9244 7ffb8356c133 9201->9244 9202 7ffb835327fe memcpy 9202->9193 9203->9199 9204->9201 9204->9202 9208 7ffb8356366a 9207->9208 9209 7ffb83563759 9208->9209 9210 7ffb8356c580 38 API calls 9208->9210 9211 7ffb83563729 9208->9211 9209->9196 9210->9211 9212 7ffb8356c133 38 API calls 9211->9212 9213 7ffb835637b5 9212->9213 9213->9196 9215 7ffb8356b524 9214->9215 9218 7ffb8356b45d 9214->9218 9216 7ffb8356b4de 9217 7ffb8356b512 9216->9217 9221 7ffb8356b50c WakeByAddressAll 9216->9221 9217->9179 9218->9216 9218->9217 9219 7ffb8356b4b5 WaitOnAddress 9218->9219 9219->9218 9220 7ffb8356b4d2 GetLastError 9219->9220 9220->9218 9221->9217 9226 7ffb8356b65c 9222->9226 9223 7ffb8356b7eb 9250 7ffb8356c250 9223->9250 9224 7ffb8356b7e0 9224->9181 9225 7ffb8356b782 WaitOnAddress 9225->9226 9228 7ffb8356b7a4 GetLastError 9225->9228 9226->9223 9226->9224 9226->9225 9228->9226 9231 7ffb8356c250 38 API calls 9230->9231 9232 7ffb8356c600 9231->9232 9234 7ffb8356b9f9 9233->9234 9235 7ffb8356b967 9233->9235 9236 7ffb8356c2f0 38 API calls 9234->9236 9238 7ffb8356b98f 9235->9238 9239 7ffb8356b97a WakeByAddressSingle 9235->9239 9237 7ffb8356ba11 9236->9237 9240 7ffb8356b999 9238->9240 9241 7ffb8356b9ae 9238->9241 9242 7ffb8356b9c0 WakeByAddressSingle 9238->9242 9240->9241 9243 7ffb8356b9e4 WakeByAddressAll 9240->9243 9241->9198 9242->9241 9242->9243 9243->9241 9245 7ffb8356c142 9244->9245 9246 7ffb8356c14a 9244->9246 9556 7ffb83563550 9245->9556 9248 7ffb8356c150 38 API calls 9246->9248 9249 7ffb8356c14f 9248->9249 9253 7ffb835581b0 9250->9253 9259 7ffb835573e0 9253->9259 9255 7ffb835581ce 9256 7ffb83558299 9255->9256 9270 7ffb8356c150 9255->9270 9278 7ffb83558520 9259->9278 9261 7ffb835573ef 9262 7ffb83557433 9261->9262 9284 7ffb835556d0 9261->9284 9268 7ffb83557444 9262->9268 9292 7ffb83556480 9262->9292 9269 7ffb835574ee 9268->9269 9295 7ffb83557740 9268->9295 9269->9255 9271 7ffb8356c168 9270->9271 9272 7ffb8356c250 38 API calls 9271->9272 9273 7ffb8356c1c4 9272->9273 9274 7ffb8356c2f0 38 API calls 9273->9274 9275 7ffb8356c1ee 9274->9275 9276 7ffb8356c250 38 API calls 9275->9276 9277 7ffb8356c24c 9276->9277 9280 7ffb83558543 9278->9280 9279 7ffb83558592 9281 7ffb83558696 38 API calls 9279->9281 9280->9279 9311 7ffb83558696 9280->9311 9283 7ffb835585c9 9281->9283 9283->9261 9285 7ffb83555720 9284->9285 9287 7ffb835556f9 9284->9287 9286 7ffb8356c133 38 API calls 9285->9286 9288 7ffb8355585c 9286->9288 9287->9285 9291 7ffb83555725 9287->9291 9288->9262 9289 7ffb83555824 9289->9262 9290 7ffb83557620 38 API calls 9290->9291 9291->9289 9291->9290 9494 7ffb8355ad80 9292->9494 9294 7ffb835564a1 9297 7ffb83557766 9295->9297 9296 7ffb83557885 9296->9269 9297->9296 9298 7ffb835578d9 9297->9298 9299 7ffb835578e8 9297->9299 9307 7ffb83557873 9297->9307 9535 7ffb8356c630 9298->9535 9301 7ffb8356c620 38 API calls 9299->9301 9302 7ffb835578fa 9301->9302 9303 7ffb835579e8 9302->9303 9304 7ffb83557925 9302->9304 9305 7ffb8356c250 38 API calls 9303->9305 9306 7ffb835553d0 38 API calls 9304->9306 9309 7ffb83557a3a 9305->9309 9308 7ffb8355797e 9306->9308 9310 7ffb8356c610 38 API calls 9307->9310 9308->9269 9309->9269 9310->9296 9313 7ffb835586d1 9311->9313 9312 7ffb835587bb 9314 7ffb835587c3 9312->9314 9315 7ffb83558845 9312->9315 9313->9312 9316 7ffb835586ff 9313->9316 9317 7ffb8356b640 38 API calls 9313->9317 9373 7ffb835553d0 9314->9373 9318 7ffb835553d0 38 API calls 9315->9318 9322 7ffb83558743 9316->9322 9330 7ffb83557cc4 9316->9330 9317->9316 9320 7ffb8355883f 9318->9320 9324 7ffb835553d0 38 API calls 9320->9324 9348 7ffb83551da0 9322->9348 9326 7ffb835588ed 9324->9326 9325 7ffb8355878e 9325->9320 9361 7ffb83558940 9325->9361 9328 7ffb83551da0 38 API calls 9326->9328 9329 7ffb83558924 9328->9329 9329->9279 9331 7ffb83557cee 9330->9331 9333 7ffb83557ce8 9330->9333 9331->9333 9378 7ffb835558b0 9331->9378 9335 7ffb83557f04 9333->9335 9382 7ffb83554500 9333->9382 9335->9322 9336 7ffb83557de1 9337 7ffb83557e79 9336->9337 9338 7ffb83557e05 9336->9338 9339 7ffb83557fd5 2 API calls 9337->9339 9342 7ffb83557e1c 9338->9342 9389 7ffb8356b360 9338->9389 9343 7ffb83557e6a 9339->9343 9386 7ffb83557fd5 9342->9386 9343->9322 9349 7ffb83551dbc 9348->9349 9350 7ffb83551dba 9348->9350 9351 7ffb8356b9f9 9349->9351 9354 7ffb8356b967 9349->9354 9350->9325 9352 7ffb8356c2f0 35 API calls 9351->9352 9355 7ffb8356ba11 9352->9355 9353 7ffb8356b98f 9357 7ffb8356b999 9353->9357 9358 7ffb8356b9ae 9353->9358 9359 7ffb8356b9c0 WakeByAddressSingle 9353->9359 9354->9353 9356 7ffb8356b97a WakeByAddressSingle 9354->9356 9357->9358 9360 7ffb8356b9e4 WakeByAddressAll 9357->9360 9358->9325 9359->9358 9359->9360 9360->9358 9455 7ffb8355c7e0 9361->9455 9364 7ffb835553d0 38 API calls 9365 7ffb835589ae 9364->9365 9368 7ffb835589ed 9365->9368 9369 7ffb83558a62 9365->9369 9366 7ffb83558a60 9366->9312 9367 7ffb8356335e 9367->9312 9368->9366 9478 7ffb8356c610 9368->9478 9369->9367 9370 7ffb8356c580 38 API calls 9369->9370 9370->9367 9375 7ffb83555407 9373->9375 9374 7ffb83555416 9374->9320 9375->9374 9376 7ffb8356c250 38 API calls 9375->9376 9377 7ffb835554ba 9376->9377 9377->9320 9379 7ffb835558cc 9378->9379 9381 7ffb835558e2 9378->9381 9394 7ffb83553150 9379->9394 9381->9333 9383 7ffb83554517 9382->9383 9385 7ffb83554554 9383->9385 9440 7ffb8356ba20 9383->9440 9385->9336 9451 7ffb83556a30 9386->9451 9388 7ffb83557ffe 9391 7ffb8356b379 9389->9391 9390 7ffb8356b3a0 9390->9342 9391->9390 9392 7ffb8356b3cc WaitOnAddress 9391->9392 9392->9391 9393 7ffb8356b3e9 GetLastError 9392->9393 9393->9391 9411 7ffb8355ab40 9394->9411 9396 7ffb835532d8 SetLastError GetEnvironmentVariableW 9399 7ffb835532f9 GetLastError 9396->9399 9401 7ffb83553182 9396->9401 9397 7ffb83553192 9397->9381 9400 7ffb835533f9 GetLastError 9399->9400 9399->9401 9400->9397 9401->9396 9401->9397 9402 7ffb83553313 GetLastError 9401->9402 9404 7ffb8355337e 9401->9404 9419 7ffb8356b110 9401->9419 9402->9401 9403 7ffb83553500 9402->9403 9437 7ffb8356c2f0 9403->9437 9406 7ffb83553387 9404->9406 9407 7ffb835534e9 9404->9407 9409 7ffb835556d0 33 API calls 9406->9409 9434 7ffb8356c620 9407->9434 9409->9397 9414 7ffb8355ab6b 9411->9414 9412 7ffb8356c133 38 API calls 9413 7ffb8355abb9 9412->9413 9415 7ffb83552b30 38 API calls 9413->9415 9414->9412 9414->9413 9416 7ffb8355abef 9415->9416 9417 7ffb83552990 38 API calls 9416->9417 9418 7ffb8355ac71 9416->9418 9417->9418 9418->9401 9420 7ffb8356b128 9419->9420 9421 7ffb8356c133 37 API calls 9420->9421 9423 7ffb8356b16c 9420->9423 9421->9423 9422 7ffb8356c133 37 API calls 9424 7ffb8356b1ef 9422->9424 9423->9422 9428 7ffb8356b1ba 9423->9428 9425 7ffb8356c250 37 API calls 9424->9425 9426 7ffb8356b22c 9425->9426 9427 7ffb8356b25d 9426->9427 9429 7ffb83553ba0 37 API calls 9426->9429 9430 7ffb8356b26d memcpy 9427->9430 9431 7ffb8356b28b 9427->9431 9432 7ffb8356b29b 9427->9432 9428->9401 9429->9427 9430->9432 9433 7ffb835550b0 37 API calls 9431->9433 9432->9401 9433->9432 9435 7ffb83568cf0 38 API calls 9434->9435 9436 7ffb8356c62f 9435->9436 9438 7ffb8356c250 38 API calls 9437->9438 9439 7ffb8356c32d 9438->9439 9441 7ffb8356ba37 9440->9441 9443 7ffb8356ba8e 9441->9443 9444 7ffb8355b960 9441->9444 9443->9385 9445 7ffb8355ba3b 9444->9445 9446 7ffb8355b999 9444->9446 9448 7ffb835553d0 38 API calls 9445->9448 9447 7ffb8355b9f7 9446->9447 9449 7ffb835528c0 38 API calls 9446->9449 9447->9443 9450 7ffb8355ba75 9448->9450 9449->9447 9450->9443 9452 7ffb83556a6d 9451->9452 9454 7ffb83556a48 9451->9454 9453 7ffb8356b360 2 API calls 9452->9453 9453->9454 9454->9388 9457 7ffb8355c7ed 9455->9457 9456 7ffb83558955 9456->9364 9457->9456 9481 7ffb83557c40 9457->9481 9491 7ffb83568c80 9478->9491 9482 7ffb835553d0 38 API calls 9481->9482 9483 7ffb83557c8c 9482->9483 9486 7ffb8356c3d8 9483->9486 9487 7ffb8356c330 38 API calls 9486->9487 9488 7ffb8356c3f1 9487->9488 9489 7ffb8356c430 38 API calls 9488->9489 9490 7ffb8356c42f 9489->9490 9492 7ffb8356c250 38 API calls 9491->9492 9493 7ffb83568cee 9492->9493 9496 7ffb8355ad96 9494->9496 9495 7ffb8355b013 9497 7ffb8356c610 31 API calls 9495->9497 9501 7ffb8355af36 9495->9501 9496->9495 9498 7ffb8356c620 31 API calls 9496->9498 9500 7ffb8355af1b 9496->9500 9496->9501 9497->9500 9498->9495 9499 7ffb8356c610 31 API calls 9512 7ffb8355b20d 9499->9512 9500->9499 9500->9501 9501->9294 9502 7ffb8355b3b8 SetLastError GetFullPathNameW 9503 7ffb8355b3e3 GetLastError 9502->9503 9502->9512 9504 7ffb8355b4ba GetLastError 9503->9504 9503->9512 9520 7ffb8355b28b 9504->9520 9505 7ffb8355b3fd GetLastError 9507 7ffb8355b84e 9505->9507 9505->9512 9506 7ffb8356b110 31 API calls 9506->9512 9508 7ffb8356c2f0 31 API calls 9507->9508 9514 7ffb8355b84c 9508->9514 9509 7ffb8355b83a 9510 7ffb8356c620 31 API calls 9509->9510 9510->9514 9511 7ffb8355b5e0 9513 7ffb8355b603 memcpy 9511->9513 9517 7ffb8356b110 31 API calls 9511->9517 9512->9502 9512->9505 9512->9506 9512->9509 9515 7ffb8355b5e5 9512->9515 9512->9520 9525 7ffb8355b49a 9512->9525 9516 7ffb8355b627 9513->9516 9513->9520 9514->9294 9515->9511 9522 7ffb8355b884 9515->9522 9528 7ffb83552990 9516->9528 9521 7ffb8355b82e 9517->9521 9518 7ffb8355b5be memcpy 9518->9511 9518->9513 9520->9294 9521->9513 9523 7ffb8356c133 31 API calls 9522->9523 9523->9514 9524 7ffb8355b70d 9524->9515 9526 7ffb8355b868 9524->9526 9525->9518 9525->9524 9527 7ffb8356c133 31 API calls 9526->9527 9527->9514 9529 7ffb835529ad 9528->9529 9530 7ffb8356c133 38 API calls 9529->9530 9531 7ffb835529d3 9529->9531 9530->9531 9532 7ffb8356c133 38 API calls 9531->9532 9534 7ffb83552a1c 9531->9534 9533 7ffb83552a4a 9532->9533 9534->9520 9540 7ffb83568d60 9535->9540 9537 7ffb8356c63f 9538 7ffb8356c250 38 API calls 9537->9538 9539 7ffb8356c678 9538->9539 9541 7ffb8356c250 38 API calls 9540->9541 9542 7ffb83568dce 9541->9542 9543 7ffb83568f2d 9542->9543 9550 7ffb83568eed 9542->9550 9553 7ffb8356c374 9542->9553 9544 7ffb8356c374 38 API calls 9543->9544 9545 7ffb83568f41 9544->9545 9546 7ffb8356908d 9545->9546 9549 7ffb8356904d 9545->9549 9552 7ffb8356c374 38 API calls 9545->9552 9547 7ffb8356c374 38 API calls 9546->9547 9548 7ffb835690a1 9547->9548 9548->9537 9549->9537 9550->9537 9552->9546 9554 7ffb8356c250 38 API calls 9553->9554 9555 7ffb8356c3d7 9554->9555 9557 7ffb8356c250 38 API calls 9556->9557 9558 7ffb83563588 9557->9558 10948 222eded99b8 10949 222eded99c1 10948->10949 10950 222eded99d5 10949->10950 10951 222eded9fb5 _execute_onexit_table 10949->10951

                                                  Executed Functions

                                                  Function 00007FFB83543830 Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 529COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 29 7ffb83543830-7ffb835439b0 call 7ffb83563640 memset 32 7ffb835439b6-7ffb835439c8 29->32 33 7ffb83543a6a-7ffb83543a8b OutputDebugStringW 29->33 34 7ffb835439d4-7ffb835439f7 32->34 35 7ffb835439ca-7ffb835439d2 32->35 36 7ffb83543a8d-7ffb83543a96 call 7ffb83549300 33->36 37 7ffb83543a9b-7ffb83543aa3 33->37 39 7ffb83543a00-7ffb83543a30 34->39 38 7ffb83543a32-7ffb83543a4e 35->38 36->37 41 7ffb83543aa5-7ffb83543aad 37->41 42 7ffb83543aea-7ffb83543b03 call 7ffb835492f0 37->42 44 7ffb83543a50-7ffb83543a57 38->44 39->38 39->39 41->42 45 7ffb83543aaf-7ffb83543ac9 41->45 50 7ffb835441db-7ffb835441ec call 7ffb8356c133 42->50 51 7ffb83543b09-7ffb83543b4a 42->51 44->33 47 7ffb83543a59-7ffb83543a68 44->47 48 7ffb83543b62-7ffb83543ba8 call 7ffb83550e30 call 7ffb83543520 memcpy * 2 45->48 49 7ffb83543acf-7ffb83543ad7 45->49 47->33 47->44 65 7ffb83543bad-7ffb83543bd8 memcpy 48->65 53 7ffb83543b4f-7ffb83543b5c call 7ffb8356af40 49->53 54 7ffb83543ad9-7ffb83543ae5 call 7ffb8354d9e0 49->54 60 7ffb835441f1 50->60 55 7ffb835441c4-7ffb835441da 51->55 53->48 53->54 54->65 64 7ffb835441f3-7ffb8354420c call 7ffb8356c133 60->64 73 7ffb83544271-7ffb835442ad 64->73 65->60 68 7ffb83543bde 65->68 70 7ffb8354420e-7ffb83544224 68->70 71 7ffb83543be4-7ffb83543c00 call 7ffb83549320 68->71 74 7ffb8354422b-7ffb83544244 call 7ffb8356c620 70->74 71->64 79 7ffb83543c06-7ffb83543c26 71->79 77 7ffb835442c1-7ffb835442da 73->77 78 7ffb835442af-7ffb835442bc call 7ffb83549300 73->78 74->73 78->77 79->74 82 7ffb83543c2c-7ffb83543c71 memcpy * 2 79->82 83 7ffb83543c82-7ffb83543d78 memcpy memset call 7ffb83548d30 call 7ffb83548c90 82->83 84 7ffb83543c73-7ffb83543c7d 82->84 85 7ffb83543e9f-7ffb83543f4e call 7ffb83563640 memset 83->85 96 7ffb83543d7e-7ffb83543d8d 83->96 84->85 91 7ffb83543f54-7ffb83543f66 85->91 92 7ffb8354400a-7ffb83544024 OutputDebugStringW 85->92 94 7ffb83543f72-7ffb83543f95 91->94 95 7ffb83543f68-7ffb83543f70 91->95 97 7ffb83544026-7ffb83544032 call 7ffb83549300 92->97 98 7ffb83544037-7ffb835440aa call 7ffb835513c0 92->98 100 7ffb83543fa0-7ffb83543fd0 94->100 99 7ffb83543fd2-7ffb83543fe3 95->99 101 7ffb83543d8f 96->101 102 7ffb83543d96-7ffb83543e74 call 7ffb83563640 memset 96->102 97->98 108 7ffb835440b0-7ffb835440de call 7ffb83549300 98->108 109 7ffb83544246-7ffb8354426c call 7ffb8356c580 98->109 106 7ffb83543ff0-7ffb83543ff7 99->106 100->99 100->100 101->102 114 7ffb8354417a-7ffb83544194 OutputDebugStringW 102->114 115 7ffb83543e7a-7ffb83543e8c 102->115 106->92 110 7ffb83543ff9-7ffb83544008 106->110 108->55 109->73 110->92 110->106 119 7ffb83544196-7ffb835441a2 call 7ffb83549300 114->119 120 7ffb835441a7-7ffb835441bd 114->120 116 7ffb83543e92-7ffb83543e9a 115->116 117 7ffb835440e3-7ffb83544106 115->117 121 7ffb83544142-7ffb8354415e 116->121 122 7ffb83544110-7ffb83544140 117->122 119->120 120->55 124 7ffb83544160-7ffb83544167 121->124 122->121 122->122 124->114 125 7ffb83544169-7ffb83544178 124->125 125->114 125->124
                                                  APIs
                                                  Strings
                                                  • a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs, xrefs: 00007FFB83544252
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset$DebugOutputString
                                                  • String ID: a Display implementation returned an error unexpectedlyC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\alloc\src\string.rs
                                                  • API String ID: 4266836622-2517649730
                                                  • Opcode ID: 72d85d4a75ae232ad92062af6064b204db72b90f85f24ec4c5a9ba28474317f3
                                                  • Instruction ID: b08acbee57edd60e572ea01933b25b5e04225da12694cb06b4b94bac594a19ad
                                                  • Opcode Fuzzy Hash: 72d85d4a75ae232ad92062af6064b204db72b90f85f24ec4c5a9ba28474317f3
                                                  • Instruction Fuzzy Hash: F24293B2A19BC189EB758F31D8413E93364FB95788F484239DA8D1BB8ADF799345C340
                                                  Function 00007FFB835321F0 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 440COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 126 7ffb835321f0-7ffb83532234 127 7ffb83532850-7ffb8353289d call 7ffb8356b430 126->127 128 7ffb8353223a-7ffb83532249 126->128 130 7ffb8353224f-7ffb83532257 127->130 131 7ffb835328a3-7ffb835328b2 call 7ffb8356b640 127->131 128->130 128->131 130->131 133 7ffb8353225d-7ffb83532264 130->133 135 7ffb8353226a-7ffb83532276 131->135 136 7ffb835328b8-7ffb835328ec call 7ffb8356c580 131->136 133->135 133->136 139 7ffb8353242b-7ffb835324c5 call 7ffb83563640 memset 135->139 140 7ffb8353227c-7ffb835323c0 135->140 146 7ffb83532910-7ffb83532952 136->146 151 7ffb835324cb-7ffb835324dd 139->151 152 7ffb835326da-7ffb835326ee OutputDebugStringW 139->152 143 7ffb835323c4-7ffb835323dc 140->143 144 7ffb835323de-7ffb835323f9 143->144 145 7ffb83532410-7ffb8353241c 143->145 148 7ffb835323ff-7ffb8353240a 144->148 149 7ffb835324f0-7ffb83532627 call 7ffb83563640 memset 144->149 145->139 150 7ffb8353241e-7ffb83532429 145->150 153 7ffb83532963-7ffb83532968 call 7ffb8356b950 146->153 154 7ffb83532954-7ffb83532962 146->154 148->144 155 7ffb8353240c 148->155 171 7ffb8353262d-7ffb8353263f 149->171 172 7ffb8353279a-7ffb835327ae OutputDebugStringW 149->172 150->143 158 7ffb83532652-7ffb83532675 151->158 159 7ffb835324e3-7ffb835324eb 151->159 156 7ffb83532701-7ffb8353270e 152->156 157 7ffb835326f0-7ffb835326fc call 7ffb83549300 152->157 153->154 155->145 164 7ffb83532822-7ffb83532838 156->164 157->156 162 7ffb83532680-7ffb835326aa 158->162 165 7ffb835326ac-7ffb835326bd 159->165 162->162 162->165 169 7ffb835328ee-7ffb835328f6 call 7ffb8356b950 164->169 170 7ffb8353283e-7ffb8353284f 164->170 168 7ffb835326c0-7ffb835326c7 165->168 168->152 173 7ffb835326c9-7ffb835326d8 168->173 169->170 175 7ffb83532645-7ffb8353264d 171->175 176 7ffb83532713-7ffb8353273f 171->176 177 7ffb835327c1-7ffb835327cf 172->177 178 7ffb835327b0-7ffb835327bc call 7ffb83549300 172->178 173->152 173->168 183 7ffb8353276c-7ffb8353277d 175->183 182 7ffb83532740-7ffb8353276a 176->182 179 7ffb835328fb 177->179 180 7ffb835327d5-7ffb835327d9 177->180 178->177 187 7ffb835328fe-7ffb8353290b call 7ffb8356c133 179->187 185 7ffb835327db-7ffb835327f8 call 7ffb835492f0 180->185 186 7ffb83532803 180->186 182->182 182->183 188 7ffb83532780-7ffb83532787 183->188 185->187 194 7ffb835327fe-7ffb83532801 185->194 190 7ffb83532809-7ffb8353281e memcpy 186->190 187->146 188->172 192 7ffb83532789-7ffb83532798 188->192 190->164 192->172 192->188 194->190
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$memcpy
                                                  • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdet$uespemos
                                                  • API String ID: 293864031-2410307170
                                                  • Opcode ID: 8860ae778228628f19962c14f299bb607ab2f77ba10d5d75e835c04e3be79308
                                                  • Instruction ID: 421d5ea6b56ed38512c6066851bf886020a594b1d811adb02ea2d82273eb875d
                                                  • Opcode Fuzzy Hash: 8860ae778228628f19962c14f299bb607ab2f77ba10d5d75e835c04e3be79308
                                                  • Instruction Fuzzy Hash: E702E6B2B15B8185EB21CF71D8547E97360FB85798F48823ADE1D67B99EF389242C340
                                                  Function 00007FFB83531350 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 576COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 195 7ffb83531350-7ffb835313b1 196 7ffb835313b7-7ffb835313c9 195->196 197 7ffb83531f98-7ffb83531fd6 call 7ffb8356b430 195->197 199 7ffb835313cf-7ffb835313df 196->199 200 7ffb83531f84-7ffb83531f8c call 7ffb8356b820 196->200 203 7ffb83531fdb-7ffb83531fe8 call 7ffb8356b330 197->203 199->203 204 7ffb835313e5-7ffb835313ed 199->204 214 7ffb83531f91-7ffb83531f96 call 7ffb8356b950 200->214 207 7ffb83531fee-7ffb8353201d call 7ffb8356c580 203->207 208 7ffb835313f3-7ffb83531419 call 7ffb835492f0 203->208 204->207 204->208 217 7ffb83532092-7ffb835320e3 call 7ffb83545a70 207->217 215 7ffb8353141f-7ffb83531c16 208->215 216 7ffb83532083-7ffb8353208d call 7ffb8356c150 208->216 223 7ffb83531f69-7ffb83531f83 214->223 220 7ffb83531c2b-7ffb83531c32 215->220 216->217 224 7ffb83531f19-7ffb83531f3a call 7ffb83549300 220->224 225 7ffb83531c38-7ffb83531c86 call 7ffb83543830 220->225 231 7ffb83531f3c-7ffb83531f4c 224->231 232 7ffb83531f52-7ffb83531f67 224->232 233 7ffb8353203b-7ffb83532081 call 7ffb8356c580 225->233 234 7ffb83531c8c-7ffb83531c9a 225->234 231->232 235 7ffb8353201f-7ffb8353202c call 7ffb8356b330 231->235 232->214 232->223 233->217 236 7ffb83531ca0-7ffb83531ca7 234->236 237 7ffb83531d54-7ffb83531d86 call 7ffb83545d50 234->237 235->232 250 7ffb83532032-7ffb83532036 235->250 241 7ffb83531cad-7ffb83531cba 236->241 242 7ffb83531d29-7ffb83531d30 236->242 248 7ffb83531d9c-7ffb83531e42 call 7ffb83563640 memset 237->248 249 7ffb83531d88 237->249 245 7ffb83531cc0-7ffb83531d27 241->245 242->237 247 7ffb83531d32-7ffb83531d35 242->247 245->242 245->245 251 7ffb83531d40-7ffb83531d52 247->251 256 7ffb83531eea-7ffb83531efd OutputDebugStringW 248->256 257 7ffb83531e48-7ffb83531e5a 248->257 249->248 252 7ffb83531d8a-7ffb83531d97 call 7ffb83549300 249->252 250->232 251->237 251->251 252->248 258 7ffb83531c20-7ffb83531c24 256->258 259 7ffb83531f03-7ffb83531f14 call 7ffb83549300 256->259 260 7ffb83531e5c-7ffb83531e64 257->260 261 7ffb83531e70-7ffb83531e8f 257->261 258->220 259->258 263 7ffb83531ebc-7ffb83531ecd 260->263 264 7ffb83531e90-7ffb83531eba 261->264 266 7ffb83531ed0-7ffb83531ed7 263->266 264->263 264->264 266->256 267 7ffb83531ed9-7ffb83531ee8 266->267 267->256 267->266
                                                  APIs
                                                  Strings
                                                  • Thread32NextVirtualFreeWaitForSingleObjectTerminateThreadSuspendThreadResumeThreadIsWow64ProcessModule32FirstWModule32NextWGetCurrentProcessIdProcess32FirstWProcess32NextWZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseCreateRemoteThreadNtQuerySystemInformationEnumPro, xrefs: 00007FFB83531787
                                                  • NtProtectVirtualMemoryNtAllocateVirtualMemoryNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileLdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThread, xrefs: 00007FFB83531434
                                                  • RtlCaptureStackBackTraceLoadLibraryAGetProcAddressLdrGetDllHandleByMappingLdrRegisterDllNotificationVirtualAllocExVirtualFreeExEnumProcessModulesGetModuleFileNameExWNtCreateSectionFailed to encrypt function name, xrefs: 00007FFB83531B0B
                                                  • FindFirstFileWFindNextFileWNtQueryDirectoryFileRegQueryValueExWNtEnumerateKeyGetAsyncKeyStateSetWindowsHookExWLogonUserWCredEnumerateWCreateProcessWNtQueryInformationProcessVirtualQueryExGetProcessIdNtOpenProcessNtWriteVirtualMemoryNtReadVirtualMemoryLoadLibra, xrefs: 00007FFB83531962
                                                  • NtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformationThreadGetProcessIdOfThreadWriteProcessMemoryReadProcessMemoryOpenProcessVirtualProtectExCloseHandleVirtualAllocVirtualProtectOpenThreadCreateToolhelp32SnapshotThread3, xrefs: 00007FFB835315CC
                                                  • called `Result::unwrap()` on an `Err` value, xrefs: 00007FFB83532001
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: FindFirstFileWFindNextFileWNtQueryDirectoryFileRegQueryValueExWNtEnumerateKeyGetAsyncKeyStateSetWindowsHookExWLogonUserWCredEnumerateWCreateProcessWNtQueryInformationProcessVirtualQueryExGetProcessIdNtOpenProcessNtWriteVirtualMemoryNtReadVirtualMemoryLoadLibra$NtGetContextThreadNtSetContextThreadNtCloseNtCreateThreadExNtCreateProcessExNtQueryInformationThreadGetProcessIdOfThreadWriteProcessMemoryReadProcessMemoryOpenProcessVirtualProtectExCloseHandleVirtualAllocVirtualProtectOpenThreadCreateToolhelp32SnapshotThread3$NtProtectVirtualMemoryNtAllocateVirtualMemoryNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileLdrLoadDllEtwEventWriteFullEtwEventWriteEtwEventWriteTransferWDEnableMpWDEnableMpScanStartMpSampleSubmitMpAmsiNotifyMpSampleQueryMpAmsiScanMpThreatActionNtResumeThread$RtlCaptureStackBackTraceLoadLibraryAGetProcAddressLdrGetDllHandleByMappingLdrRegisterDllNotificationVirtualAllocExVirtualFreeExEnumProcessModulesGetModuleFileNameExWNtCreateSectionFailed to encrypt function name$Thread32NextVirtualFreeWaitForSingleObjectTerminateThreadSuspendThreadResumeThreadIsWow64ProcessModule32FirstWModule32NextWGetCurrentProcessIdProcess32FirstWProcess32NextWZwOpenKeyZwCreateKeyZwSetValueKeyZwCloseCreateRemoteThreadNtQuerySystemInformationEnumPro$called `Result::unwrap()` on an `Err` value
                                                  • API String ID: 1084755268-2364454806
                                                  • Opcode ID: 653b38409596640914fa7d63d8cf424cb572741280a3b2fc7ab4b8728f521777
                                                  • Instruction ID: 0c8a7f72c6307420bc15e6c9cbe8fac73b7a0903c2ec1faa50dbdffb5a4fda40
                                                  • Opcode Fuzzy Hash: 653b38409596640914fa7d63d8cf424cb572741280a3b2fc7ab4b8728f521777
                                                  • Instruction Fuzzy Hash: AC724EB7619F918AE790CF20E8843E933E4F749344F584639CA8C53765EFB892A5C342
                                                  Function 00007FFB83546090 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 238threadwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  • YOU HAVE BEEN INFECTED BY BILLC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\core\src\iter\traits\iterator.rs, xrefs: 00007FFB835461DB
                                                  • Bill Keaners Virus NotificationFailed to remap system modules: , xrefs: 00007FFB83546212
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$CallsDisableErrorLastLibraryMessageThread
                                                  • String ID: Bill Keaners Virus NotificationFailed to remap system modules: $YOU HAVE BEEN INFECTED BY BILLC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\core\src\iter\traits\iterator.rs
                                                  • API String ID: 941661592-2279533013
                                                  • Opcode ID: 195875aae0b9af25ce33d6ea15697e4cad6ee146f8f960bcfd2655da5fcca72b
                                                  • Instruction ID: fdbbd0d056af2f32d6ff9b05893f49810117494fe973da17e515c600bc327388
                                                  • Opcode Fuzzy Hash: 195875aae0b9af25ce33d6ea15697e4cad6ee146f8f960bcfd2655da5fcca72b
                                                  • Instruction Fuzzy Hash: A3D130A1A04AC5C9F7664F38D8462F463A0FF94399F0C5635EE8C66665FF39A386C340
                                                  Function 00007FFB835329D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: Failed to encrypt function name
                                                  • API String ID: 1084755268-2980051713
                                                  • Opcode ID: 6aa83c0c6de3fa7f8b5054d02a8f513cd927d1f1fcfae81d6afafa5c6c285677
                                                  • Instruction ID: 8980c0759f75005cb56df518efe8e953cd5ee72fd2368ab8badb3fb3598c033c
                                                  • Opcode Fuzzy Hash: 6aa83c0c6de3fa7f8b5054d02a8f513cd927d1f1fcfae81d6afafa5c6c285677
                                                  • Instruction Fuzzy Hash: 74A1B0B2A14BD588EB308F74E8457E86760FB95758F4C8239CE5C27B96DF788295C340

                                                  Non-executed Functions

                                                  Function 00000222EDEA4D40 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 295stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1795 222edea4d40-222edea4d5d 1796 222edea4e01-222edea4e4a memset 1795->1796 1797 222edea4d63-222edea4d78 1795->1797 1800 222edea51fc-222edea5204 OutputDebugStringW 1796->1800 1798 222edea4d7e-222edea4d89 1797->1798 1799 222edea4e4f 1797->1799 1802 222edea4d8f-222edea4dfc memset 1798->1802 1803 222edea4e54-222edea4f0f call 222eded3640 memset 1798->1803 1799->1803 1801 222edea520a-222edea5223 1800->1801 1802->1800 1806 222edea4fca-222edea4fea OutputDebugStringW 1803->1806 1807 222edea4f15-222edea4f27 1803->1807 1808 222edea4fec-222edea4ff5 call 222edeb9300 1806->1808 1809 222edea4ffa-222edea5001 1806->1809 1810 222edea4f33-222edea4f56 1807->1810 1811 222edea4f29-222edea4f31 1807->1811 1808->1809 1813 222edea5198-222edea51f3 memset 1809->1813 1814 222edea5007-222edea5028 1809->1814 1816 222edea4f60-222edea4f90 1810->1816 1815 222edea4f92-222edea4fae 1811->1815 1813->1800 1817 222edea503c-222edea5092 strlen call 222eded4b50 1814->1817 1818 222edea4fb0-222edea4fb7 1815->1818 1816->1815 1816->1816 1822 222edea5030-222edea5036 1817->1822 1823 222edea5094-222edea50a3 memcmp 1817->1823 1818->1806 1819 222edea4fb9-222edea4fc8 1818->1819 1819->1806 1819->1818 1822->1813 1822->1817 1823->1822 1824 222edea50a5-222edea516d call 222eded3640 memset 1823->1824 1827 222edea52ba-222edea52da OutputDebugStringW 1824->1827 1828 222edea5173-222edea5185 1824->1828 1829 222edea52dc-222edea52e5 call 222edeb9300 1827->1829 1830 222edea52ea-222edea52f6 1827->1830 1831 222edea518b-222edea5193 1828->1831 1832 222edea5224-222edea5247 1828->1832 1829->1830 1830->1801 1833 222edea5282-222edea529e 1831->1833 1834 222edea5250-222edea5280 1832->1834 1836 222edea52a0-222edea52a7 1833->1836 1834->1833 1834->1834 1836->1827 1837 222edea52a9-222edea52b8 1836->1837 1837->1827 1837->1836
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$memcmpstrlen
                                                  • String ID: c
                                                  • API String ID: 2294051181-112844655
                                                  • Opcode ID: dcc10d7d37b99bb4f0be237131298177b9f1279419a2611088ae7a94c4a23629
                                                  • Instruction ID: e3978df22cb4e03a84e29226361114e5bfce5729a899a791e8a4b22d39da5574
                                                  • Opcode Fuzzy Hash: dcc10d7d37b99bb4f0be237131298177b9f1279419a2611088ae7a94c4a23629
                                                  • Instruction Fuzzy Hash: FAE10732618BC0E5EB219B64E4483EAB3B8FBC5784F455215EA8D03B55EF3ED189D700
                                                  Function 00000222EDEA69E0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 479COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2280 222edea69e0-222edea6a10 2281 222edea6c31-222edea6cbd call 222eded3640 memset 2280->2281 2282 222edea6a16-222edea6a2d 2280->2282 2290 222edea6e2a-222edea6e45 OutputDebugStringW 2281->2290 2291 222edea6cc3-222edea6cd5 2281->2291 2283 222edea6a33-222edea6a42 2282->2283 2284 222edea70f7-222edea7135 call 222ededb430 2282->2284 2288 222edea70ea-222edea70f2 call 222ededb360 2283->2288 2289 222edea6a48-222edea6a58 2283->2289 2293 222edea713a-222edea714d call 222ededb330 2284->2293 2288->2284 2289->2293 2294 222edea6a5e-222edea6a6e 2289->2294 2301 222edea70dc-222edea70e9 2290->2301 2302 222edea6e4b-222edea6e59 call 222edeb9300 2290->2302 2296 222edea6cdb-222edea6ce3 2291->2296 2297 222edea6da6-222edea6dc9 2291->2297 2299 222edea6a74-222edea6a80 2293->2299 2300 222edea7153-222edea71f0 call 222eded3640 call 222edeb53a0 2293->2300 2294->2299 2294->2300 2304 222edea6dfc-222edea6e0d 2296->2304 2309 222edea6dd0-222edea6dfa 2297->2309 2306 222edea6f18-222edea6fdd call 222edeb5ad0 call 222eded3640 memset 2299->2306 2307 222edea6a86-222edea6bca 2299->2307 2327 222edea720b-222edea723d call 222ededc250 2300->2327 2328 222edea71f2-222edea7206 call 222edeb9300 2300->2328 2302->2301 2315 222edea6e10-222edea6e17 2304->2315 2332 222edea708a-222edea709e OutputDebugStringW 2306->2332 2333 222edea6fe3-222edea6ff5 2306->2333 2312 222edea6bce-222edea6be6 2307->2312 2309->2304 2309->2309 2316 222edea6c12-222edea6c1e 2312->2316 2317 222edea6be8-222edea6bff 2312->2317 2315->2290 2320 222edea6e19-222edea6e28 2315->2320 2316->2306 2325 222edea6c24-222edea6c2f 2316->2325 2321 222edea6c05-222edea6c10 2317->2321 2322 222edea6ce8-222edea6d7b call 222eded3640 memset 2317->2322 2320->2290 2320->2315 2321->2316 2321->2317 2336 222edea6eea-222edea6f05 OutputDebugStringW 2322->2336 2337 222edea6d81-222edea6d93 2322->2337 2325->2312 2343 222edea723f-222edea7247 call 222ededb420 2327->2343 2328->2327 2338 222edea70a0-222edea70ac call 222edeb9300 2332->2338 2339 222edea70b1-222edea70bf 2332->2339 2340 222edea7001-222edea702f 2333->2340 2341 222edea6ff7-222edea6fff 2333->2341 2336->2306 2345 222edea6f07-222edea6f13 call 222edeb9300 2336->2345 2346 222edea6e5e-222edea6e8e 2337->2346 2347 222edea6d99-222edea6da1 2337->2347 2338->2339 2349 222edea70d0-222edea70d6 2339->2349 2350 222edea70c1-222edea70ca 2339->2350 2344 222edea7030-222edea705a 2340->2344 2342 222edea705c-222edea706d 2341->2342 2353 222edea7070-222edea7077 2342->2353 2343->2301 2344->2342 2344->2344 2345->2306 2352 222edea6e90-222edea6eba 2346->2352 2355 222edea6ebc-222edea6ecd 2347->2355 2349->2301 2349->2343 2350->2349 2356 222edea724c-222edea7253 call 222ededb330 2350->2356 2352->2352 2352->2355 2353->2332 2358 222edea7079-222edea7088 2353->2358 2359 222edea6ed0-222edea6ed7 2355->2359 2356->2349 2363 222edea7259-222edea725d 2356->2363 2358->2332 2358->2353 2359->2336 2361 222edea6ed9-222edea6ee8 2359->2361 2361->2336 2361->2359 2363->2349
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: arenegyl$modnarod$setybdet$uespemos
                                                  • API String ID: 1084755268-66988881
                                                  • Opcode ID: 2d9b1ba818fa8e74537c4f9dd46168478d5f07cae155413cb37fe182ff9f41fa
                                                  • Instruction ID: 18a50ab55ac16b8fb3af42662fa174cb3d13ae390ec504b4644ea155f58d6032
                                                  • Opcode Fuzzy Hash: 2d9b1ba818fa8e74537c4f9dd46168478d5f07cae155413cb37fe182ff9f41fa
                                                  • Instruction Fuzzy Hash: 0C22E472601BC1A9FF20EFB0D85C3DD2365E706788F458226EE495BB9AEF359249D340
                                                  Function 00000222EDEA21F0 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 440COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2364 222edea21f0-222edea2234 2365 222edea223a-222edea2249 2364->2365 2366 222edea2850-222edea289d call 222ededb430 2364->2366 2367 222edea224f-222edea2257 2365->2367 2368 222edea28a3-222edea28b2 call 222ededb640 2365->2368 2366->2367 2366->2368 2367->2368 2370 222edea225d-222edea2264 2367->2370 2374 222edea226a-222edea2276 2368->2374 2375 222edea28b8-222edea28ec call 222ededc580 2368->2375 2370->2374 2370->2375 2377 222edea227c-222edea23c0 2374->2377 2378 222edea242b-222edea24c5 call 222eded3640 memset 2374->2378 2384 222edea2910-222edea2952 2375->2384 2379 222edea23c4-222edea23dc 2377->2379 2389 222edea26da-222edea26ee OutputDebugStringW 2378->2389 2390 222edea24cb-222edea24dd 2378->2390 2382 222edea2410-222edea241c 2379->2382 2383 222edea23de-222edea23f9 2379->2383 2382->2378 2388 222edea241e-222edea2429 2382->2388 2386 222edea24f0-222edea2627 call 222eded3640 memset 2383->2386 2387 222edea23ff-222edea240a 2383->2387 2391 222edea2954-222edea2962 2384->2391 2392 222edea2963-222edea2968 call 222ededb950 2384->2392 2409 222edea262d-222edea263f 2386->2409 2410 222edea279a-222edea27ae OutputDebugStringW 2386->2410 2387->2383 2393 222edea240c 2387->2393 2388->2379 2394 222edea26f0-222edea26fc call 222edeb9300 2389->2394 2395 222edea2701-222edea270e 2389->2395 2396 222edea2652-222edea2675 2390->2396 2397 222edea24e3-222edea24eb 2390->2397 2392->2391 2393->2382 2394->2395 2402 222edea2822-222edea2838 2395->2402 2400 222edea2680-222edea26aa 2396->2400 2403 222edea26ac-222edea26bd 2397->2403 2400->2400 2400->2403 2407 222edea28ee-222edea28f6 call 222ededb950 2402->2407 2408 222edea283e-222edea284f 2402->2408 2406 222edea26c0-222edea26c7 2403->2406 2406->2389 2411 222edea26c9-222edea26d8 2406->2411 2407->2408 2413 222edea2645-222edea264d 2409->2413 2414 222edea2713-222edea273f 2409->2414 2415 222edea27b0-222edea27bc call 222edeb9300 2410->2415 2416 222edea27c1-222edea27cf 2410->2416 2411->2389 2411->2406 2417 222edea276c-222edea277d 2413->2417 2422 222edea2740-222edea276a 2414->2422 2415->2416 2419 222edea28fb 2416->2419 2420 222edea27d5-222edea27d9 2416->2420 2426 222edea2780-222edea2787 2417->2426 2425 222edea28fe-222edea290b call 222ededc133 2419->2425 2423 222edea27db-222edea27f8 call 222edeb92f0 2420->2423 2424 222edea2803 2420->2424 2422->2417 2422->2422 2423->2425 2432 222edea27fe-222edea2801 2423->2432 2428 222edea2809-222edea281e memcpy 2424->2428 2425->2384 2426->2410 2430 222edea2789-222edea2798 2426->2430 2428->2402 2430->2410 2430->2426 2432->2428
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$memcpy
                                                  • String ID: arenegyl$called `Result::unwrap()` on an `Err` value$modnarod$setybdet$uespemos
                                                  • API String ID: 293864031-2410307170
                                                  • Opcode ID: 015cfd085b4c162ab194050e9418491c932b7b78a8291c822aaed8685d05d4da
                                                  • Instruction ID: d70fbb1d74abf01e4b5421794346cef2e49f52adc26b3e8b1fae3ae2497638f9
                                                  • Opcode Fuzzy Hash: 015cfd085b4c162ab194050e9418491c932b7b78a8291c822aaed8685d05d4da
                                                  • Instruction Fuzzy Hash: 88022572701B81A5EB20DFB0D85C7DC3364F705788F859222EE196BB99EF3A9649D300
                                                  Function 00000222EDED9BBC Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: ba27f3b5954af16a5fc56399d99b94326a8f7023bc5bd3a1be1c567db7b43afb
                                                  • Instruction ID: 225134f3a231114d9ca20d4237ddf067406b9ad248bf4066dea6e502f3f557d6
                                                  • Opcode Fuzzy Hash: ba27f3b5954af16a5fc56399d99b94326a8f7023bc5bd3a1be1c567db7b43afb
                                                  • Instruction Fuzzy Hash: 79313072205B80E6EB60AFB0EC483ED7368F785748F49406AEA4D47B99DF39D548C710
                                                  Function 00007FFB83569BBC Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: ba27f3b5954af16a5fc56399d99b94326a8f7023bc5bd3a1be1c567db7b43afb
                                                  • Instruction ID: e82bec0338b4caa0a5d300244169743240ba0558cd83774ced690d63214570f6
                                                  • Opcode Fuzzy Hash: ba27f3b5954af16a5fc56399d99b94326a8f7023bc5bd3a1be1c567db7b43afb
                                                  • Instruction Fuzzy Hash: EB3163B2619B8186EB608F71E8803ED73A4FB84744F48443EDA4E57B98EF78D589C700
                                                  Function 00000222EDEC9E90 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 301filenativesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: Error$FileFormatHandleLastMessageModuleObjectSingleStatusWaitWrite
                                                  • String ID: NTDLL.DLL
                                                  • API String ID: 415079386-1613819793
                                                  • Opcode ID: 5be850b24d4d10c4588c810b4a3346f69235b89148fb263f1ffefacee0107b38
                                                  • Instruction ID: 5f72ff7ae7c9c16f09028586138f954ebe638e42baf857dc87990cb434d280a1
                                                  • Opcode Fuzzy Hash: 5be850b24d4d10c4588c810b4a3346f69235b89148fb263f1ffefacee0107b38
                                                  • Instruction Fuzzy Hash: ADD1C032601BC0F9E736AFA0E80C7EC36A8F345398F494565EA5D06BD4DF769689E300
                                                  Function 00007FFB83559E90 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 301filenativesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: Error$FileFormatHandleLastMessageModuleObjectSingleStatusWaitWrite
                                                  • String ID: NTDLL.DLL
                                                  • API String ID: 415079386-1613819793
                                                  • Opcode ID: ed71c42767927844b54a900d099d1a3a82706d2bf10d10c23bd3c2fd18ca20ba
                                                  • Instruction ID: cf88fca0ec2e4a0f2e24bb656174d1fd582ce46add23b6fd088f8ac402f0931b
                                                  • Opcode Fuzzy Hash: ed71c42767927844b54a900d099d1a3a82706d2bf10d10c23bd3c2fd18ca20ba
                                                  • Instruction Fuzzy Hash: 58D181B2A19BC299E7328F70E8447EC27A0FB84394F5C4139DA5D56B94DF78E696C300
                                                  Function 00000222EDEDA120 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: arenegyl$modnarod$setybdet$uespemos
                                                  • API String ID: 2221118986-66988881
                                                  • Opcode ID: 274b7263a121f23cd62effede1c62ab16813ac5261d558a648d1c4a81d68f29e
                                                  • Instruction ID: c50c6b805693258b146075f0d9b92bfb89a0b21c1b386801f9eb61bb8f8362ea
                                                  • Opcode Fuzzy Hash: 274b7263a121f23cd62effede1c62ab16813ac5261d558a648d1c4a81d68f29e
                                                  • Instruction Fuzzy Hash: 09A1AE62B00794E6EE50AFA9781D39A6655F312BE4F4D5721EEAC273C0DE3DD245E300
                                                  Function 00000222EDEDA580 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: arenegyl$modnarod$setybdet$uespemos
                                                  • API String ID: 2221118986-66988881
                                                  • Opcode ID: f1133081b72d458c9986fd661ce50c3b0a69c1f51f9b8e2a71e5900fd6c26978
                                                  • Instruction ID: c984dc0c9d67ec01f3917ce7530cb21a8e8270cdd9f1d861b7d606c975ea6865
                                                  • Opcode Fuzzy Hash: f1133081b72d458c9986fd661ce50c3b0a69c1f51f9b8e2a71e5900fd6c26978
                                                  • Instruction Fuzzy Hash: B2A1AC22B10794E6EE50AF69B81D39A6695F315BE4F4E5321EEAC173C0EF3DD245E200
                                                  Function 00007FFB8356A580 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: arenegyl$modnarod$setybdet$uespemos
                                                  • API String ID: 2221118986-66988881
                                                  • Opcode ID: 58005f088489a34359caf09b1505b483f6f3f4f175e3282821ecd1cfb22e3913
                                                  • Instruction ID: 6fc10f3a5fae0518ddf53d1463816894326cf804be4e1804d8286f2eb63f4c40
                                                  • Opcode Fuzzy Hash: 58005f088489a34359caf09b1505b483f6f3f4f175e3282821ecd1cfb22e3913
                                                  • Instruction Fuzzy Hash: 08A138A2F2879546EE509B29E8012EB6751BB84BE4F5D5735DEAC277C0EE3CD182D300
                                                  Function 00000222EDEB6090 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 238threadwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  • YOU HAVE BEEN INFECTED BY BILLC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\core\src\iter\traits\iterator.rs, xrefs: 00000222EDEB61DB
                                                  • Bill Keaners Virus NotificationFailed to remap system modules: , xrefs: 00000222EDEB6212
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset$CallsDisableErrorLastLibraryMessageThread
                                                  • String ID: Bill Keaners Virus NotificationFailed to remap system modules: $YOU HAVE BEEN INFECTED BY BILLC:\Users\Harrison\.rustup\toolchains\nightly-x86_64-pc-windows-msvc\lib/rustlib/src/rust\library\core\src\iter\traits\iterator.rs
                                                  • API String ID: 941661592-2279533013
                                                  • Opcode ID: e01424a8805601628d976b2494b66a3bbfb9951c4b2ba088af0c8c5d03914914
                                                  • Instruction ID: b635254a49b6ea559c9467638251d70138b92699d7dad7f5ce3f521cda8aa79b
                                                  • Opcode Fuzzy Hash: e01424a8805601628d976b2494b66a3bbfb9951c4b2ba088af0c8c5d03914914
                                                  • Instruction Fuzzy Hash: 03D14D21600AC4F9F7225F78D84E3E873A8FF55399F095251FE8816665EF36A28AD340
                                                  Function 00000222EDEC3150 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs, xrefs: 00000222EDEC3500
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnvironmentVariable
                                                  • String ID: internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs
                                                  • API String ID: 2691138088-1438511490
                                                  • Opcode ID: 04535cd5deb0d79cc35c8777e83ab9bd4e05f6aa9cc8e89552d8b95463c03d76
                                                  • Instruction ID: 13a76d2847509de3668f9b9849c679297e251babc037c9e52203cb694afe6999
                                                  • Opcode Fuzzy Hash: 04535cd5deb0d79cc35c8777e83ab9bd4e05f6aa9cc8e89552d8b95463c03d76
                                                  • Instruction Fuzzy Hash: 18A1BE72300BC4E5EB76AFA5D85C3D86368F745B98F098525EE1C4B789DF3AD2899300
                                                  Function 00007FFB83553150 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs, xrefs: 00007FFB83553500
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnvironmentVariable
                                                  • String ID: internal error: entered unreachable code/rustc/a4cb3c831823d9baa56c3d90514b75b2660116fa\library\alloc\src\vec\mod.rs
                                                  • API String ID: 2691138088-1438511490
                                                  • Opcode ID: e8681af214764eae4209867d9c6a13d4724bad736187da7cc8e2bb81b261ac42
                                                  • Instruction ID: 8ed69dd34873d833a2c4182043a99a7a3f281dd7329316fa210c704dc8e8dff4
                                                  • Opcode Fuzzy Hash: e8681af214764eae4209867d9c6a13d4724bad736187da7cc8e2bb81b261ac42
                                                  • Instruction Fuzzy Hash: 47A150A2704AC585EB658F35D8453ED6364FB84B98F0C8539DE5D6B789DE38E282C340
                                                  Function 00000222EDECA390 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: Handle$CloseConsoleErrorLastMode
                                                  • String ID: called `Result::unwrap()` on an `Err` value
                                                  • API String ID: 1170577072-2333694755
                                                  • Opcode ID: 834455aeb25a58b9fb831ce2532e29c14e411d2510e4ee7d32e6b5da07fb026a
                                                  • Instruction ID: 00c6345868ca5d148d654d63867238d2bed92464b97e6e92e429682d51ebdf80
                                                  • Opcode Fuzzy Hash: 834455aeb25a58b9fb831ce2532e29c14e411d2510e4ee7d32e6b5da07fb026a
                                                  • Instruction Fuzzy Hash: 5491B7616007D0F8FB22ABB0E90C3ED3768F745798F4A8955FE9527685DB3AD189E300
                                                  Function 00007FFB8355A390 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: Handle$CloseConsoleErrorLastMode
                                                  • String ID: called `Result::unwrap()` on an `Err` value
                                                  • API String ID: 1170577072-2333694755
                                                  • Opcode ID: c616b8a2bd76b2fce24460937c50392c1983c871815495b63517cb1ca01a9381
                                                  • Instruction ID: ebff379a76e3499020c643cd4a7c1f8adbe6221b6cd9d21068a805194b6a5b35
                                                  • Opcode Fuzzy Hash: c616b8a2bd76b2fce24460937c50392c1983c871815495b63517cb1ca01a9381
                                                  • Instruction Fuzzy Hash: 7E91A4E2A1879288FB128F71E8447FD27A0BB85798F4C4539DE9D26685DF3CE186C340
                                                  Function 00000222EDECA6B0 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 1956605914-0
                                                  • Opcode ID: 2669de26aabd0035ab25742d7bac5faaf33273ff953fcb98150dd4b20128f456
                                                  • Instruction ID: fb1c21ca40a0c8ce5dd6de2e8200fc76341a564740e555a940753a4e70bfeb0f
                                                  • Opcode Fuzzy Hash: 2669de26aabd0035ab25742d7bac5faaf33273ff953fcb98150dd4b20128f456
                                                  • Instruction Fuzzy Hash: 705103326006D0F6F732ABA0D80C3ED6269F3057D4F4A4561F9496BAD8DF7AD58EA340
                                                  Function 00007FFB8355A6B0 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 1956605914-0
                                                  • Opcode ID: 2669de26aabd0035ab25742d7bac5faaf33273ff953fcb98150dd4b20128f456
                                                  • Instruction ID: 42e64ff972620375804404d2f14d0e9c4ca716fe85fb447b6f51343a31795c67
                                                  • Opcode Fuzzy Hash: 2669de26aabd0035ab25742d7bac5faaf33273ff953fcb98150dd4b20128f456
                                                  • Instruction Fuzzy Hash: AF51CFB2A1869285F7228B71D8043FD6361BB84794F4C4139D94D67AD9EF7CE587C340
                                                  Function 00000222EDED979C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: e75e8dec2bceb8f31b370975aea9e636f77527df6d97dadaf49a33da96686fdd
                                                  • Instruction ID: bb4c6e7376beffab4f77c5ecc36edbeb0afb350954056a3e7055ce23bc6e055d
                                                  • Opcode Fuzzy Hash: e75e8dec2bceb8f31b370975aea9e636f77527df6d97dadaf49a33da96686fdd
                                                  • Instruction Fuzzy Hash: A8112A26750F01EAEB00DFB1E8583A833A8F35A758F491E21EA6D877A4DF78D558C340
                                                  Function 00007FFB8356979C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3765580827.00007FFB83531000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB83530000, based on PE: true
                                                  • Associated: 00000003.00000002.3764740213.00007FFB83530000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3767377131.00007FFB8356D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3768410937.00007FFB83582000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3769385647.00007FFB83583000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffb83530000_cmd.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: e75e8dec2bceb8f31b370975aea9e636f77527df6d97dadaf49a33da96686fdd
                                                  • Instruction ID: 976ae7f8eb0ac25a6eb8d9eb9c5675ba8b6f963ab2854721d5b66ad6e49d0720
                                                  • Opcode Fuzzy Hash: e75e8dec2bceb8f31b370975aea9e636f77527df6d97dadaf49a33da96686fdd
                                                  • Instruction Fuzzy Hash: 75115E62B18F0189EB00CF71E8442B933A4F799758F480E35DA2D527A8EF78D195C340
                                                  Function 00000222EDEA29D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: Failed to encrypt function name
                                                  • API String ID: 1084755268-2980051713
                                                  • Opcode ID: 2ab57d7139c98fd8a19bbf8e424ac4b87c44fd67ef3817f7c81d3b1079295771
                                                  • Instruction ID: 643c757a4ab95e04898819f602a5e96463fe003b63cb0ad7841cd5af59c07a08
                                                  • Opcode Fuzzy Hash: 2ab57d7139c98fd8a19bbf8e424ac4b87c44fd67ef3817f7c81d3b1079295771
                                                  • Instruction Fuzzy Hash: 74A12473A00BD0E8EB308FA4E84C7D877A4F705758F498259DE982BF96DB359698C340
                                                  Function 00000222EDEAC7B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3757585833.00000222EDEA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00000222EDEA0000, based on PE: true
                                                  • Associated: 00000003.00000002.3756795326.00000222EDEA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759014418.00000222EDEDD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3759990333.00000222EDEF2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000003.00000002.3760944696.00000222EDEF3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_222edea0000_cmd.jbxd
                                                  Similarity
                                                  • API ID: DebugOutputStringmemset
                                                  • String ID: LL file.
                                                  • API String ID: 1084755268-1255835901
                                                  • Opcode ID: 3ffc51488e3a6f3545db0f16d1adf3f34678102a8c800a4f4a50d578dea688a9
                                                  • Instruction ID: aab59123322a00040da9e56a9ccc0e338eaca15eadb71b7ac96fa3c3d8e53c39
                                                  • Opcode Fuzzy Hash: 3ffc51488e3a6f3545db0f16d1adf3f34678102a8c800a4f4a50d578dea688a9
                                                  • Instruction Fuzzy Hash: 1471C036710B80E8EB619F61D8583EC3364F789B88F498126EE4D5BB89DF36D649D300